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Abstract 


This thesis presents time-optimal self-stabilizing algorithms for distributed spanning tree com- 
putation in asynchronous networks. We present both a randomized algorithm for anonymous 
networks as well as a deterministic version for [D-based networks. Our protocols are the first 
to be time-optimal (i.e. stabilize in time O(diameter)) without any prior knowledge of the 
network size or diameter. Both results are achieved through a technique of symmetry breaking 
that may be of independent interest. 


Executions of randomized distributed algorithms contain a combination of nondetermin- 
istic and probabilistic choices; these choices often involve subtle interactions that often make 
such algorithms difficult to verify and analyze. Segala and Lynch have recently developed the 
Probabilistic Automata model to aid in reasoning about randomized distributed algorithms; 
their model is related to the earlier work of Lynch and Vaandrager. We use the Probabilistic 
Automata formalism to analyze the correctness and time complexity of our randomized algo- 
rithm for anonymous networks; in doing so, we demonstrate the effectiveness of the formalism 
in reasoning about randomized algorithms. 
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Chapter 1 


Introduction 


The task of spanning tree construction is a basic primitive in communication networks. Many 
crucial network tasks, such as network reset (and thus any input/output task), leader election, 
broadcast, topology update, and distributed database maintenance, can be efficiently carried 
out in the presence of a tree defined on the network nodes spanning the entire network. Im- 
proving the efficiency of the underlying spanning tree algorithm usually also correspondingly 


improves the efficiency of the particular task at hand. 


In practice, computation in asynchronous distributed networks is made much more difficult 
because of the possibility of numerous kinds of faults. Nodes may crash or get corrupted; 
links may fail or deliver erroneous messages. Further, nodes or links may enter or leave the 
network at any time. A very important concept in the context of this problem is that of self- 
stabilization, first introduced by Dijkstra [Dij74]. Self-stabilization implies the ability of the 
system to recover from any transient fault that changes the state of the system. Dijkstra gave 
the example of a token-ring network which is always supposed to have exactly one token. If, 
through some error, the network were to have zero or two tokens, a self-stabilizing token ring 
protocol would be able to automatically recover or “stabilize” to a state where the network 


has exactly one token. 


More precisely, a self-stabilizing algorithm on a system S (e.g. the network) reaching a set 
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of legal states P is eventually able to bring S to a state in P when started in any arbitrary 
mitial state. In Dijkstra’s token-ring example, P is the set of states in which the ring has 
exactly one token. For a self-stabilizing spanning tree algorithm, P would be the set of states 
having a spanning tree defined on the network nodes. As we can consider the state of the 
system after a transient error to be an arbitrary state, a self-stabilizing system will eventually 
“recover” from any non-repeating error. Thus self-stabilization is a very strong and highly 


desirable fault-tolerance property. 


We would therefore like to have an efficient self-stabilizing algorithm for spanning tree 


construction in asynchronous networks. 


A key measure of efficiency is the stabilization time, which is the maximum time taken for 
the algorithm to converge to a “spanning tree” state, starting from an arbitrary state. Let é 
be the diameter of the network, and let n be the network size — the number of nodes in the 


network. Then that the optimal stabilization time must necessarily be 0(6). 


Several factors influence the “difficulty” of the protocol. The protocol can be designed for 
networks that are either [D-based (each node has a unique “hard-wired” ID), or for networks 
that are anonymous (in which nodes lack unique IDs, so there is no a priori way of distinguish- 
ing them). The protocol may either “know” the network size n, or it may “know” some upper 
bound on n, or it may “know” nothing whatsoever. Similarly, it may or may not “know” in 
advance a bound on the diameter 6. Of course, the more “knowledge” a protocol “is given” 


about the network, the easier it becomes to achieve its objectives. 


Previous Work 


Following the pioneering work of [Dij74], there has been considerable work in this area. [Ang 
80] showed that no deterministic algorithm can construct a spanning tree in an anonymous 
symmetric network. [AK Y90] gave an ID-based self-stabilizing spanning tree protocol with a 
stabilization time of O(n?) and a randomized protocol for anonymous networks that runs in 


O(n log n) time. They presented the technique of “local checking” and “local detection,” used in 
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many subsequent papers. [AG90] gave an ID-based self-stabilizing spanning tree protocol with 
time complexity O(N”), where N is a pre-specified bound on the network size n. [APV91] gave 
an [D-based self-stabilizing spanning tree protocol (based on a reset protocol) that stabilizes 


in O(n) time. 


[DIM91] gave a self-stabilizing spanning tree algorithm for anonymous networks that runs 
in expected O(6 log n) time. [AM89] gave a Monte-Carlo spanning tree protocol for anonymous 
networks that works in O(6) time; however, their protocol is not self-stabilizing. (A Monte- 
Carlo algorithm terminates in bounded time but succeeds with probability p < 1; a Las- Vegas 
algorithm may not terminate in bounded time but always succeeds.) With the exception of 
[AG90], all the other works mentioned above do not assume any prior knowledge of the network 


size n or the diameter 6. 


[DIM91] also mentioned a self-stabilizing spanning tree protocol for anonymous networks 
that requires O(6) time (and is thus time-optimal), but requires prior knowledge of a bound 
N on the network size. Recently, [AKMPV93] have developed a time-optimal self-stabilizing 
spanning tree protocol for [D-based networks; they, too, require prior knowledge of a bound 


D on the diameter of the network. 


Our Results 


We present the first time-optimal self-stabilizing spanning tree algorithms that do not need 
any prior knowledge of the network size or diameter. We present both a randomized Las- Vegas 
algorithm for anonymous networks and a deterministic version for [D-based networks. Both 


our protocols stabilize in expected O(6) time. 


Thus, with respect to the O(é log n)-time protocol of [DIM91], we decrease the time com- 
plexity to O(é), and compared to their O(6)-time protocol, we do not need a bound N on the 
network size. Unlike [AKMPV93], we do not need a bound D on the diameter. 


Note that for random graphs, the expected diameter 6 is comparable to logn. For real 


networks, such as the Internet, the diameter is usually less than logn. Thus, decreasing the 
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time complexity from O(é6logn) (as in [DIM91]) to O(6) represents an improvement in the 


time required to less than the square root of that required earlier. 


Both of our protocols employ a novel technique in self-stabilization. A major concern 
in self-stabilizing systems has been contending with “wrong information”. For example, an 
important problem that arises in spanning tree algorithms is the ghost root phenomenon— 
some nodes in the network may “believe” the existence of a root node that doesn’t really exist. 
Most previous approaches to the problem have relied on costly non-local operations such as 
root verification, network reset, or tree dismantling to eliminate the ghost root. Our technique, 
on the other hand, is to modify incorrect information instead of perform the expensive process 
of eliminating it. (A similar idea to that of “correcting information” was implicitly used by 
[DIM91].) The modification is done locally but in a careful manner: local modifications of 
wrong information have important desirable global consequences. We do it without incurring 
the large overhead of global operations such as reset etc. Compared to [DIM91], we do stronger 
corrections (but still without causing global overhead). The stronger local corrections enable 


us to have a better running time. 
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Chapter 2 


The Model 


We assume that the network is represented by an undirected graph G = (V, EF); G' consists of a 
set of processors denoted by V = {2 1, v2,..., 0, } and a set of links denoted by F = {F,, Fs,...} 
where each E; € F = (v;,v;) for some j,k. In an [D-based network, each processor is assigned 
a unique ID that is “hard-wired” in its memory. In an anonymous or uniform network, all 
processors of the same degree are identical; they do not have unique IDs assigned to them. We 
refer to the number of processors n as the size of the network. The distance between any two 
processors w and v is the lowest number of links on any path connecting uw and v in G. (In an 
anonymous network, the labels u and v are used for convenience—they are not the IDs of the 
nodes referred to.) The diameter of the network is the maximum distance between any two 
nodes in V; we denote the diameter by 6. The set of neighbors of node uw, denoted Nors(w), is 
the set {v € V | (u,v) € F}. 


The degree of a node v is the number of links incident upon node v. We assume that each 


processor maintains a total order on its neighbors. 


The network is asynchronous; processors perform computation steps independently of each 


other and at arbitrary rates. 


We assume that processors communicate by shared memory. In the shared memory model, 


each processor is associated with a set of registers, possibly partitioned into a set of local 
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registers and a set of shared registers. Processors communicate by performing write operations 
on their registers and read operations on the shared registers of their neighbors. All reads and 


writes are atomic—treads/writes behave as though they occur instantaneously. 


A network communicating through shared memory, as described above, can be modeled as 


a probabilistic automaton ({SL94], [LSS94]). 


2.1 Probabilistic Automata 


In this section we give only a simplified version of the model of [SL94] which is sufficient for 


our purposes. 


2.1.1 Automata 


Definition 2.1 A probabilistic automaton M consists of four components: 


e a set states(M) of states. 
e¢ a nonempty set start(M) C states(M) of start states. 
e a set acts(M) of actions. 


e a transition relation steps(M) C states(M) x acts(M) x Probs(states(M)), where the set 
Probs( states(M)) is the set of probability spaces (Q, 4, P) such that 2 C states(M) and 
y= 2%. Z 


Thus, a probabilistic automaton is a state machine with a labeled transition relation such 
that the state reached during a step is determined by some probability distribution. For 
example, the process of choosing a random color from {0, 1, 2} is represented by a step labeled 
with an action NEXT-COLOR where the next state contains the random color choice and 


is determined by a probability distribution over the three possible outcomes. A probabilistic 


18 


automaton also allows nondeterministic choices over steps. A key instance of nondeterminism 


is the choice of which processor in a network takes the next step. 


Given a state s, let D(s), the Dirac distribution on s, denote the probability space that 
assigns probability 1 to s. Specifically, PD(s) = ({s},2'3,P) such that P[{s}] = 1. Asa 


notational convention we write (s,a,s’) € steps(M) whenever (s,a,D(s’‘)) € steps(M). 


2.1.2 Executions 


An execution fragment a of a probabilistic automaton M is a (finite or infinite) sequence of 
alternating states and actions starting with a state and, if the execution fragment is finite, 
ending in a state; @ = 94, 5,252 ---, where for each ? there exists a probability space (Q, %, P) 
such that (s;,a;41,(Q,,P)) € steps(M) and 5,4, € Q. Iff i < j, we say “s; precedes s; in 
a,” or “s; follows s; in a.” Denote by fstate(a) the first state of a and, if a is finite, denote 
by Istate(a) the last state of a. Furthermore, denote by frag"(M) and frag(M) the sets of 
finite and all execution fragments of M, respectively. An execution is an execution fragment 
whose first state is a start state. Denote by exec*(M) and exec(M) the sets of finite and all 
executions of M, respectively. A state s of M is reachable if there exists a finite execution of 


M that ends in s. Denote by rstates(M) the set of reachable states of M. 


A finite execution fragment a, = 59a,5,---a,8, of M and an execution fragment ay = 
$nGn418n41°°° Of M can be concatenated. In this case the concatenation, written a,-az, is 
the execution fragment $9@1$1 +++ @nSn4n415n41°°:. An execution fragment a, of M is a prefix 
of an execution fragment ay of M, written a, < ae, if either a; = a» or a, is finite and there 
exists an execution fragment a{ of M such that ay = a,xa}. If a = a,nay, then we denote 


Q, with aca, (read a after a;). 


Let U be a subset of states(M). Set U is closed, written U —+ Ua, if for any s € U and 


any step (s,a,(Q,%,P)), QC U. Thus if UV —+ UG, once an execution reaches a state in U, 


it remains in U. We say that an execution fragment a is in Uif every state in a is in U. 
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2.1.3 Adversaries 


In order to study the probabilistic behavior of a probabilistic automaton, some mechanism to 
remove nondeterminism is necessary. The mechanism that removes the nondeterminism can 
be viewed as an adversary. In distributed systems the adversary is often called the scheduler, 


because its main job may be to decide which process should take the next step. 


Definition 2.2 An adversary for a probabilistic automaton M is a function A taking a finite 
execution fragment of M and giving back either nothing or one of the enabled steps of M if 


there are any. Denote the set of adversaries for M by Advsy,. | 


2.1.4 Execution Automata 


Once an adversary is chosen, a probabilistic automaton can run under the control of the chosen 
adversary. The result of the interaction is called an execution automaton. Note that there are 


no nondeterministic choices left in an execution automaton. 


Definition 2.3 An execution automaton H of a probabilistic automaton M is a fully proba- 


bilistic automaton such that 


1. states(H) C frag"(M). 
2. for each step (a,a,(Q,», P)) of H there is a step (Istate(a), a,(0’, d’, P’)) of M, called 


the corresponding step, such that 2 = {aas|s € ’} and Plaas] = P’[s] for each s € 0’. 


3. each state of H is reachable, i.e., for each a € states(H) there exists an execution of H 


leading to state a. | 


Definition 2.4 Given a probabilistic automaton M, an adversary A © Advsj,;, and an execu- 
tion fragment a € frag"(M), the execution H(M,A,a) of M under adversary A with starting 
fragment a is the execution automaton of M whose start state is a and such that for each step 


(a’,a,(Q, 4, P)) € steps(H(M,A,a)), its corresponding step is the step A(a’). a 
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To ease the notation, we define an operator af that takes an execution of M and gives 
back the corresponding execution of H, and a| that takes an execution of H and gives back 


the corresponding execution of M. 


2.1.5 Events 


Given an execution automaton H, an event is expressed by means ofa set of maximal executions 
of H, where a maximal execution of H is either infinite, or it is finite and its last state does 
not enable any step in H. For example, the event “eventually action a occurs” is the set of 
maximal executions of H where action a does occur. A more formal definition follows. The 
sample space Qy is the set of maximal executions of H. The o-algebra “iy is the smallest 
o-algebra that contains the set of rectangles R,, consisting of the executions of Q, having a 
as a prefix. The probability measure Py is the unique extension of the probability measure 
defined on rectangles as follows: Py[R,] is the product of the probabilities of each step of H 


generating a. 


Definition 2.5 An event schema e for a probabilistic automaton M is a function associating 


an event of Sy with each execution automaton H of M. | 


2.1.6 Timing 


To mark the passage of time, we include in each state s a real component s.now, and include 
a special time passage action v in acts(M), which increments s.now. For all s € start(M), 


s.now = 0. 


Definition 2.6 (Duration of an execution fragment) The duration of an execution frag- 


ment a is defined as (Istate(a).now — fstate(a).now). 


A statement of the form “within time ¢ in execution a, property P holds” means that 


property P holds for some state s in a such that s.now < fstate(a).now +t. The statement 
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“after time t, property P holds” implies that property P holds for all states s in a such that 


s.now > fstate(a).now + t. 


2.1.7 Adversary Schemas 


We close this section with one final definition. The time bound for our randomized protocol 
states that starting from any state, no matter how the steps of the system are scheduled, the 
network forms a spanning tree within expected O(diameter) time. However, this claim can 
only be valid if the adversary is fair (as defined above). Thus, we need a way to restrict the 
set of adversaries for a probabilistic automaton. The following definition provides a general 


way of doing this. 


Definition 2.7 An adversary schema for a probabilistic automaton M, denoted by Advs, is 


a subset of Advsy,. | 


2.2 Composability 


In this section, we introduce a key theorem of [SL94], the composability theorem. 


The statement U —aaws U’ means that, starting from any state of U and under any 
adversary A of Advs, the probability of reaching a state of U' within time t¢ is at least p. The 


suffix Advs is omitted whenever we think it is clear from the context. 


Definition 2.8 Let ey, be the event schema that, applied to an execution automaton H, 
returns the set of maximal executions a of H where a state from U’ is reached in some 
state of a within time t. Then U —aaws U' iff for each s € U and each A € Advs, 


Pau, A,sleu' tM, A, 8))] 2 p. | 


Proposition 2.9 Let U,U', U" be sets of states of a probabilistic automaton M. 
i U — U', then UU U" — Ulu U", : 
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In order to compose time bound statements, we need a restriction for adversary schemas 
stating that the power of the adversary schema is not reduced if a prefix of the past history of 
the execution is not known. Most adversary schemas that appear in the literature satisfy this 


restriction. 


Definition 2.10 An adversary schema Advs for a probabilistic automaton M is execution 
closed if, for each A € Advs and each finite execution fragment a € frag*(M), there exists an 
adversary A’ € Advs such that for each execution fragment a’ € frag"(M) with Istate(a) = 
fstate(a’), A'(a’) = A(ana’). = 


Theorem 2.11 (Composability theorem) Let Advs be an execution closed adversary schema 
for a probabilistic timed automaton M, and let U,U', U" be sets of states of M. 
i U Ades U' and U' Fs adus U", then U dus U", = 
Corollary 2.12 Let Advs be an execution closed adversary schema for a probabilistic timed 
automaton M, and let U, U,, Us,..., Un, U* be sets of states of M. 
If U +aavs Uy U U2,U...U Un, and if U; Ades U* for alli, then 

t+max(t1,t2,...,t:) 

— 


* 
. Adus U 
min(p1,p2,.--,Pi) 


2.3. Networks as Probabilistic Automata 


In this section we briefly describe how self-stabilizing protocols running on networks with 


shared-memory links can be modeled using probabilistic automata. 


Self-stabilizing network protocols operate on networks that are dynamic—the set of pro- 
cessors or links may change during the execution. A change in the status of a processor or link 


is communicated to the processors it connects by a low level self-stabilizing protocol. Further, 
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the state of a processor may change arbitrarily (not by an algorithmic step, but by “memory 
corruption”). We assume that the sequence of topological changes and non-algorithmic state 
changes is finite and that eventually such events cease. This allows us to ignore topological and 
state changes during an execution a of our protocol, as the last such change can be considered 
to change the network state to an arbitrary start state s of a new change-free execution. The 


time complexity measures the time taken for the protocol to succeed after the last such change. 


The network G(V, F) can be represented by a “global” probabilistic automaton M whose 
state contains a vector of states of all its processors. We assume that the state s;,) of a processor 
t fully describes its internal state and the values written in all its registers. Thus the global 
state s contains {5[1], S[9],.--, try}; in addition, it also contains timing information (e.g. now). 
The local computation at each processor consists of a sequence of atomic actions; the set 
acts(M) of actions of the global network includes the set of actions of each of its nodes, and 


the time passage action v. 


2.3.1 Fairness 


Let vis(.M) denote the non-time-passage actions of acts(M). For the time complexity analysis, 
our protocols require that each action of vis(M) be executed in every unit of time. To this 
end, for each action a in vis(M), we include in state s a (real) “deadline” for that action, 
s.deadline(a); this deadline represents the latest time by which action a must be performed 
again. For all s € start(M), s.deadline(a) = 1. A time passage step (s,v,s’) of M must satisfy 
the following condition: s’.now < mingeyiscm){deadline(a)}. For a non-time-passage action 
(s,a, 8’), s’. now = s.now, and s’.deadline(a) = s.now+1. Note that this construction guaran- 
tees that in any execution fragment a = soa, 5,a,...o0f M if Istate(a).now > fstate(a).now+1, 


then for every action a in vis there exists a step (s,a,s’) in a. 


For stating time bounds, we will need to assume fair adversaries. A is said to be fair iff the 
time advances without bound in every infinite execution fragment generated by A. (Note that 


this rules out “Zeno executions.”) Let Fatradvs(M) denote the adversary schema consisting 
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of fair adversaries of MZ. From the definitions, it can be seen that any infinite execution a = 
$9418,d2... of M generated by a fair adversary A can be partitioned into an infinite number 
of “rounds,” such that each processor performs each one of its enabled actions at least once in 


every round. 


Also, note that the adversary schema Fairadvs(.M) is execution-closed (cf. Definition 2.10). 
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Chapter 3 


General Approaches to Spanning 


Tree Construction 


Spanning tree algorithms usually utilize variants of a common overall scheme. We first describe 
the basic scheme which assumes the existence of unique node IDs. Each node is associated with 
a “priority,” which could initially be the node’s ID, for instance. At any instant during the 
algorithm’s progress, the network is logically partitioned into a spanning forest, which is defined 
by parent pointers maintained by the nodes. Initially (unless initialized by the adversary), this 
forest consists of the single-node trees defined by the network nodes themselves (i.e. parent = 
nil at all nodes, so each node is a root). Starting from this configuration, the nodes gradually 
coalesce into larger trees. Each node keeps track of the priority of the root of its tree. The 
goal is to produce a spanning tree rooted at the node with the highest priority. Nodes in 
the forest keep on exchanging root priorities with their neighbors. When a node wu notices 
a neighbor v with a higher root priority, it attaches itself to v’s tree by making v its parent 
(parent, — v). Thus, trees with higher root priorities overrun trees with lower ones. Since the 
priorities are totally ordered, eventually all nodes in the network form a single tree rooted at 
the node with the highest priority. This simple ID-based scheme is not self-stabilizing, since 


if we allow “corrupted” initial states, nodes may “believe in” a highest priority that is not 
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actually possessed by any root. 


To adapt the [D-based scheme to an anonymous network (i.e. with no pre-assigned IDs), 
we need randomization to break symmetry between the processors. Each node in the network 
flips coins to arrive at a random ID, and participates in the tree construction process described 
above. Since IDs (and hence priorities) are chosen randomly, it is possible that the node 
with the highest priority in the network is not unique; there could be several such nodes with 
highest priority p. In such a situation, the above algorithm would halt when the network forms 
a spanning forest, with each tree rooted at one of the nodes with priority p. In this final state, 


all nodes would have the same ID; thus coalescing would cease at this point. 


To detect such “multiple highest priorities,” [AK Y90] and [DIM 91] proposed the method of 
recoloring trees. In typical recoloring schemes, each tree is associated with a randomly chosen 
color. The root chooses a color at random from a small set of “colors” C of constant size (e.g. 
C ={0, 1, 2, 3}). This color is propagated through the entire tree rooted at that root. When 
the root receives confirmation that the entire tree has been colored with its color (through a 


simple acknowledgement mechanism), it chooses a new color. The process is repeated forever. 


If there are several neighboring trees with priority p, there must exist nodes that are linked 
to neighbors not in their own tree. Since tree colors are chosen randomly, neighboring nodes 
that belong to different trees will assume different sequences of colors over time; this fact can 


be exploited to let such neighbors detect their affiliation to different trees. 


In the scheme proposed by [AK Y90], the sequence of colors chosen by a root to color its tree 
is “alternating” - of the form (¢1, ¢., C2, Cs, C3, Cs, ---), Where c, is a special color, “no-color,” 
and c; # no-color for all 7. We can represent “no-color” by the color 0; then ¢; 4 0 for all 2. 
Thus when a root receives acknowledgement about its entire tree being colored with a non-zero 
color, it colors its tree with color 0. When its tree is entirely colored with color 0, it again 
recolors its tree with a non-zero color. In this scheme, if the node’s own color c; is non-zero, 
then if it notices a neighbor with a non-zero color different from its own color, it can correctly 
conclude that that neighbor belongs to a different tree. Since the scheduler is assumed to be 


adversarial, additional constraints are imposed on the acknowledgement mechanism; details 
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are presented in Section 5. 


If a node wv detects another tree, its root is informed of the condition. When a root learns 
of the existence of another tree rooted at the same ID, in the [AK Y90] and [DIM91] schemes 
the root extends its ID by a randomly chosen bit and continues the protocol. Extending IDs 
is a way of breaking symmetry; eventually the roots in the network have appended enough 
random bits to their IDs so that there is a unique root with the highest ID, and subsequently 


a unique tree spanning the entire network. 


Our technical contribution in this paper is twofold. First, we develop a framework for ID 
extension and generalize the concept. Our generalization enables us to reduce the time com- 
plexity of the randomized protocol to O(d), without prior knowledge of the size or diameter of 
the network. Our second main contribution is to use the concept of extension to efficiently con- 
fer the property of self-stabilization upon the basic deterministic scheme for [D-based networks, 
thus enabling us to give the first deterministic spanning tree protocol that is time-optimal (i.e. 


O(d) time) without prior knowledge of bounds on the network size or diameter. 


Intuitively, the log n factor in the previous randomized result came from the need to initiate 
anew competition every time two trees “collided.” Every time a tree 7’ noticed another tree 
T with the same root ID, TJ would randomly extend its ID to try to “win” over T. Our new 
method usually needs just O(1) ID extensions per node to converge to a spanning tree, as 
opposed to O(log n) extensions in the previous scheme. To achieve this the extension needs to 
be done in a careful way. When several IDs are independently extended, only one extended ID 
ought to “win,” in order to prevent the need for additional competition. Further, independent 
extensions must attempt to preserve existing order: they must not make a previously “beaten” 
tree become the maximum, since this will prevent progress by possibly necessitating new 
competition(s). 

Previous approaches to the deterministic version attempt to form a spanning tree at the 
node v with the highest (or lowest) “hard-wired” ID. In doing so, they have to contend with the 
ghost root problem—eliminating all “belief” in the ghost root usually necessitates an “extra” 


Q(d) addition to the time complexity. We exploit our intuitive results about ID extension to 
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modify belief in the ghost root. In our scheme, as opposed to previous schemes, the node with 
the “distinguished” hardwired ID ID, need not be the root of the spanning tree. The final root 


is determined by the state s set by the adversary at the start of the algorithm—the root is one 


of the nodes that belteves in the highest ID. 
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Chapter 4 


A Key Approach to Representing 
IDs 


4.1 The Afek-Matias Probability Distribution 


In [AM89], Afek and Matias proposed a probability distribution which can be used to break 
symmetry in sets of unknown size. Let p be a pair (s,¢) of integers, and let pairs be ordered 
lexicographically. [AM89] proposed a probability distribution on s and t, such that if several 
(say &) pairs (s;,t;) are randomly computed, there is a unique highest pair with probability at 
least €, where € is a constant independent of &. The number s; is randomly selected according 


to the probability distribution 


and the number ¢; is randomly uniformly selected from the range [1, 20In(4r)] where r = 1/e 
(€ = 1- €). € is the probability of error we are prepared to tolerate for a given collection of 
randomly chosen values of ¢;—with probability < €, such a collection will not have a unique 
maximum). The purpose of t; is to break symmetry between pairs that have the same s,, since 
a small constant number of pairs are expected to have the same highest s;. For our purposes, 


we choose € = € = 1/2, so s; is chosen from the range [1, 201n 8]. The choice of € affects the 
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running time of our randomized algorithm by only a constant factor; we have not attempted to 
compute the optimal value. Our choice of € implies that if & pairs are flipped, there is exactly 


one highest pair with probability > 1/2. 


Since the protocols and the time complexity analysis do not need to access the individual 
components of a pair, to ease the notation, we will henceforth assume that a pair (s,f) is 
uniquely represented as a single integer z. The mapping must preserve the order on (s,t); 


since the range of ¢ is finite, it is easy to construct such a mapping. 


We now formally describe the Afek-Matias probability spaces that we will use. Let , ‘4, 
denote the probability space that represents the outcome of & independent pair flips. Let 
X,,Xo,...,X, be independent identically distributed random variables on this space repre- 
senting the & flips. The distribution of each X is the AM distribution specified earlier; let 
P(X = 2x) be denoted by Pp(a) . A sample point p on this space is an outcome of k flips, 
(pi, P2,---,Pe). The set of events on this space is the set 2°, where O is the set of integer 
k-tuples. Let Ppx() be the probability of event EF. Let Highest be the random variable that 


returns the highest coin flip: 


Highest(p,, po, te » Pr) = max(p1, Po, te » Pr) 


Also, we define the event UNIQH to be the event that “there exists a unique highest coin flip”; 
thus 


UNIQH = {p| (Ji | pi > pj V5 Ft} 
We now state some properties of , ,,. The first property is the main result of [AM89]: 
Theorem 4.1 For any k, Ppx(UNIQH) > 1/2. a 
The next two theorems are proved in appendix A: 
Theorem 4.2 For any k,i, Ppe(UNIQH | (Highest > i)) > 1/2. a 


Theorem 4.3 For any k,i, Prx(Highest# i) > (1—e7'/*) > 0.22. 7 
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4.2 ID Representation 


IDs are represented as tuples of entries; each entry is an integer. In the randomized protocol, 
an entry may represent the result of a number randomly chosen according to the AM scheme 


(cf. Section 4.1). 
We impose a lexicographic order <~ on IDs; this order is a total order. Thus if X = 


(a1,...,%;) and Y = (m,...,y,) are two IDs, then 


X<Y <= j<kand(a,...,2;) = (m,---,y;) 
OR 


dm < min(7,k) | (1,---,%m—-1) = (Y1,---5 Ym—1) and Im < Ym 


If the first case holds, i.e. if X is a proper prefix of Y, we define the precedence to hold in 
the weak sense, or X = Y. In the second case, X is not a prefix of Y; we define the precedence 
to hold in the strong sense, or X 2 Y. We define the relations < and - similarly, but they 


also include equality (i.e. same IDs). 


The concatenation of two IDs X = (a1,...,a;) and Y = (b,...,);), written X : Y, is 
defined as the ID (a,,...,a;,01,...,8;). 


For an ID_X, let IpLENGTH(X ) denote the number of entries in X, and let X[i] denote the 
ith entry of X. Let X[1..7] denote the prefix (X [1], X[2],..., X[?]). 


We now state some basic properties of our ID representation: 
Proposition 4.4 For any IDs A, B, A’, B', and C, the following properties hold: 


tA = ASB. 


B)A(B =< C) = (A <C). 


IAS 


9. (A 
3. (A SB)A(BX< C) = (A XC). 
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4. (A XB)AN(A < C) => (C XB). 


5. (AX B) => (A:A’ = B:B'). 


4.3. Motivation behind our ID Representation 


As mentioned earlier, nodes compete with one another for being the root of the eventual 
spanning tree. The competition is on the basis of IDs; a higher ID “beats” a lower one; 
correspondingly, a tree with a high root ID overruns a tree with a lower root ID. If two 
trees with the same root ID detect each other’s existence, their root nodes need to break the 
symmetry so that only one of the two advances in the competition. A highly desirable model 
to impose on this competition is the tournament model, to pick a unique winner starting with 
n competitors. As the tournament progresses, we have a shrinking pool of “candidates” for the 


eventual winner; once a player leaves the pool, it is out of the running. 


Our definition of IDs and the ordering defined on them captures the tournament model. 
A root can only change its ID by appending an entry to it. When two roots with equal IDs 
independently extend their [Ds in this manner, one of the new IDs is ordered higher than the 
other (if they are different). Further, note that the first ID is now higher in the strong sense: if 
the roots perform further (possibly none) extensions, the first root ID will remain higher even 
after additional extensions (by Proposition 4.4(5)). The second root, with the lower ID, can 
never compete with the first root after this extension. Hence there exists a shrinking pool of 
“candidate” roots. The fact that a root “beaten” in this manner cannot compete further for 
being the eventual root is crucial to the time complexity of our algorithm, since competitions 


between non-candidate roots do not contribute to the overall time complexity. 


If, on the other hand, ID X is higher than ID Y in the weak sense, it is still possible for Y, 
through some sequence of extensions, to eventually be higher than X in the strong sense. Thus 


a weak-sense relationship between two IDs implies that the roots possessing those IDs are not 
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yet “differentiated” in the competition; either of them might eventually “beat” the other. 
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Chapter 5 


Specification of the Randomized 


Algorithm 


Section 3 described the basic approach used by our randomized algorithm. This section states 
the algorithm. The deterministic version is very similar to the randomized one; we briefly 


describe the deterministic version in Section 8. 


The network can be modeled as a probabilistic automaton RSST (for “Randomized Self- 
stabilizing Spanning Tree”) whose state s contains a global time component s.now, a set of 
deadlines {s.deadline(a)} (cf. Section 2.3.1), and the states of the network nodes. The state 
Stu) Of each node wu consists of a set of shared variables [D,,, distance,, parent,,, color,, mode, 
other-trees,,, and, for each neighbor v of u, nbr-color,,. In addition, the state of each node u 


contains a set of local variables [D,,,, distance,,, parent,,,, color,,, mode,,, other-trees,,, and 


wo? 
self-color,, for each neighbor v of u; these are local copies of the corresponding variables at v 
(with the exception of self-color,,, which is a local copy of color,,) which node wu maintains 
and periodically updates by reading v’s shared variables. These variables can be partitioned 
into two categories: those associated with tree overrunning—ID, distance, parent; and those 


associated with recoloring or the process of detecting “competing” trees—color, mode, other- 


trees, self-color, and nbr-color (cf. Section 3). The state variables and their types are listed in 
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Shared variables: 


Variables for tree overrunning: 

ID, € 1D-tuples (cf. Section 4), current ID 

distance, € {0, 1, 2...}, estimate of current distance from root 
parent,, € {nil} U Nbrs(u), pointer to parent 


Variables for tree recoloring: 

color, € {0, 1, 2, 3}, current color 

mode, € {broadcast, echo}, recoloring phase 

other-trees, € {true, false}, existence of other trees with same ID 


Vv € Nbrs(u), nbr-color,, € {1, 2, 3, undefined}, last “real” color of nbr v 


Local variables: 


Vv € Nors(u), 


/* local copy of corresponding shared variables at neighbor v */ 


Day, parent,,,, Tistancey,, colory,, modéy,, other-trees,,, self-colory, 


(Note that color,,, self-color,, € {0, 1, 2, 3, undefined}) 


Figure 5-1: Set sj.) — State components of node u 


Figure 5-1. 


Nodes maintain [Ds; these IDs are not “hard-wired” (since we are considering anonymous 
networks here), and are susceptible to change. The parent, variable at wu points to a neighboring 
node (or “nil”); the set of parent, variables at all nodes u € V define a subset Eyarent of the 
set of edges /. We attempt to make the parent subgraph Gparent = (V,Eparent) represent a 
forest; thus we attempt to make each node wu belong to a tree T,,. The distance, variable is an 


estimate of the distance from u to the root of its tree T,, (if such a tree exists). 


The priority of a node u is defined to be the tuple ([D,,distance, ). We define a total order 


>> on priorities: 
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/* copy neighbor variables into local memory */ 


Vu € Nors(u), COP Yur 


/* become child of neighbor with maximum priority, or become root */ 


MAXIMIZE-PRIORITY, 


/* if local neighborhood “looks” stable, participate in recoloring etc.*/ 


DETECT-TREES, 


/* if root’s tree has acknowledged color, choose new color */ 


NEXT-COLOR, 


/* if root has detected other trees with same ID, extend ID */ 
EXTEND-ID, 


Figure 5-2: Actions of node u 


Definition 5.1 (Order > on priorities) (/D,, distance,) >> (ID,,distance,) iff either 
ID, > ID,, or their IDs are equal and distance, < distance,. The analogous relation >>_ 


includes equality. | 


The protocol at each node w is implemented through the atomic actions specified in Figure 
5-2. Note that each action is always enabled; actions need not be performed in any particular 
order. At each state of an execution @ = 8941 5,d252..., the adversary chooses the next processor 


u to perform an action, as well as the particular action of u that is performed. 


The action COPY,, (Fig. 5-3) reads the values of neighbor v’s shared variables and copies 
it into the corresponding local “opinions” at node u. Besides, it performs tasks related to the 
coloring algorithm. The action MAXIMIZE-PRIORITY, (Fig. 5-4) makes u participate in the 
important task of tree overrunning; it sets the 1D, distance and parent variables. (It makes node 
u maximize its priority by attaching to neighboring nodes, if possible.) The action DETECT- 


TREES, (Fig. 5-5) makes u participate in recoloring its tree to detect “competing” trees with 
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the same ID. If uw is a root whose tree has acknowledged being colored with a certain color, 
the action NEXT-COLOR, (Fig. 5-6) makes wu choose the next color to color its tree with. 
Finally, if w is a root node and the recoloring process has informed it of a “competitor” tree, 


the action EXTEND-ID, (Fig. 5-7) causes u to eatend its ID randomly to break symmetry. 


Definition 5.2 (RSST) The probabilistic automaton RSST is defined as follows: 


1. The set states(RSST) consists of all states s such that 
e The values of all variables in s,,; belong to their corresponding types (listed in 
Figure 5-1), 
e s.now > 0, and 


e for each a € acts(RSST), s.deadline(a) > 1. 
2. start(RSST) = {s | s.now =0A Va € acts(RSST), s.deadline(a) = 1}. 


3. acts(RSST) = v (time passage), and for all u and all v € Nbrs(u), {COPYu,, MAXIMIZE- 
PRIORITY,, DETECT-TREES,, NEXT-COLOR,, EXTEND-ID,}. 


4. steps(RSST) is specified by the code for the individual actions in acts(RSST), listed in 
Figures 5-3 — 5-7. | 


Henceforth, the code is organized, for convenience, into statements labeled [A], [B], [C], 


etc. 


Statement [A] in action COPY,, (Figure 5-3) invoked by node wu performs the task of 
reading the shared variables of the neighbor v and copying them into local memory. For 
example, the value of [D, at node wu is the value of w’s current ID, and ID,, is intended to 
hold the latest “opinion” of the ID of neighbor v. Statements [B], [C] and [D] perform tasks 


required for the tree detection algorithm; they are described in Section 5.1. 


We want trees with high root IDs to “overrun” trees with lower root IDs. To this end, 


each node u tries to “optimize” its ID: if it notices a neighbor with an ID higher than itself, it 
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COPY up» 
/* make local copies of neighbor variables */ 


LDuy — ID, 

distanceyy — distance y 
parent,,,, — parent, 

colory, — color, 

mode€yy — mode, 
other-treesy,, — other-trees, 
self-coloryu, — coloryy 


/* perform coloring tasks if necessary */ 


if (7D, = ID, and |(distance, — distancey)| <1) 
then 


/* record color of neighbor if necessary */ 
if (color, #0) and (color, # 0) 
then 
nbr-colory, — color, 
if color, # color, then other-trees— true 


/* copy parent’s color if necessary */ 
if (parent, =v) and (color, F color,) 
then Reset-Color,,( color, ) 


Figure 5-3: Action COPY,, 


Al 


MAXIMIZE-PRIORITY, 


/* let | be the “largest” of all neighbors that have max priority */ 
Let 7 — max {x | (IDue, distancey,) = MAX) ¢ Nors(u)( Luv, distancey.) } 


(where max’ is maximum over the relation >>, cf. Definition 5.1) 


/* force root to extend first, if about to be overrun by a suffix ID */ 
if (parent, = nil) and ID, x ID, then 
while ID, < ID, 
Append-Entry, () 


/* if u can improve its priority, by becoming child of another */ 
/* neighbor, do so, otherwise become root */ 


if (1D 1, distance,)) > (Dy, distance, ) /* see def. of > */ 
then 

ID, — ID. 

distance, <— distance,; +1 

parent, 1 


else /* no neighbor has a larger priority; become root */ 
distance, + 0 
parent, — nil 


Figure 5-4: Action MAXIMIZE-PRIORITY,, 
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attaches to the neighbor with the highest ID, and changes its ID to the observed ID. Further, 
once it has optimized its ID, it also tries to optimize its distance: it prefers to attach to the 
node with the smallest distance. The purpose of the distance counters is to “shrink” long 
branches in trees so that no branch can exceed diameter length. Hence in [E] of MAXIMIZE- 
PRIORITY, we make u determine the neighbor / with the highest priority. Many neighbors 
may all have the same highest priority; we break ties by choosing the highest-ordered neighbor 
(each processor is assumed to maintain a total order on its neighbors, so that such ties can be 


resolved in a consistent manner). 


The purpose of statement [F] is rather technical; it is not required for correctness but plays 
an important role in maintaining an overall O(6) time complexity for our algorithm. (Note that 
6 is the network diameter.) As will be explained in the time complexity analysis of Section 6, 
statement [F] limits the power of an adversary to alter the probability distribution of existing 


root IDs. 


Statement [G] determines whether node w can increase its priority by attaching to the 
“highest” neighbor / determined by [E]. If the priority cannot decrease, it then makes the 


neighbor / its parent, assumes its ID, and assumes its distance incremented by one. 


However, if node u can only decrease its priority by attaching to the neighbor /, [H] makes 
it become a root, keeping its ID unchanged and resetting its distance to zero. This is the 
mechanism of handling the ghost root problem described earlier—if node u notices that it was 
a nonroot node with a ID J, that is not possessed by any of its neighbors and is higher than 
all its neighbors IDs, it was erroneously “believing” in the existence of a root node with ID J,. 
In this situation, node wu simply becomes a root with ID I, by setting its distance to zero, thus 
obviating the need to “correct” erroneous belief in that root elsewhere in the network. Hence 


statement [H] plays an important role in self-stabilization. 
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5.1 The Tree Detection Algorithm 


The Tree Detection Algorithm has the following purpose: if two or more neighboring trees 
have the same root ID, we want their roots to detect this condition, so that they can then 
extend their IDs to break symmetry and advance in the competition. The complexity in the 
code arises from having to contend with faults, asynchrony, and the fact that we regard the 
scheduler as an adversary capable of altering the schedule to thwart our intentions. The Tree 
Detection Algorithm is implemented through statements [B], [C] and [D] in action COPY, 
and through actions DETECT-TREES, NEXT-COLOR and EXTEND-ID. 


Statements [B] and [I] test for a “stability condition”; the rest of the tree detection code in 
actions COPY and DETECT-TREES is only executed if the neighborhood of node u appears 
to “believe in” only one ID. If this is not the case, tree overrunning is still in progress in the 


neighborhood of wu, and so tree detection can not be performed. 


Let node wu belong to a tree 7’ defined on the parent subgraph. (As will be shown in the 
proof, the action MAXIMIZE-PRIORITY guarantees that u eventually belongs to some tree.) 
Let the root of T be node r,. The tree detection algorithm colors the tree T with an alternating 
sequence of colors { c,,0,¢2,0,¢3,0,... }, where c; 4 0 for all ¢. The color variable of a node 


represents its current color. 


Let the color of the root r, at some instant be c. Nodes in the tree propagate color c 
to their children, so that eventually all nodes in tree 7 will set their color to c. When the 
entire tree is colored with c, nodes acknowledge this fact to the root. This propagation and 
acknowledgement is done through a standard “broadcast-echo” mechanism: the mode field of 
a node is set to either broadcast or echo, depending on which phase of the recoloring is in 


progress at that node. 


When a node notices that its own color is different from that of its parent (in statement 
[D]), it calls the subroutine Reset-Color, (Fig. 5-8), which “resets” its coloring variables, 
and causes it to broadcast its parent’s color (by setting its mode to broadcast and copying its 


parent’s color). In this manner, when a root r chooses a new color, its descendants successively 
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DETECT-TREES, 


if Vo € Nbrs(u) , (Duy = ID, and |(distance,, — distance, )| <1) 


then 


/* check for echo */ 
if 
{ (mode, = broadcast) 


/* and if all children echo wv’s color */ 


and (Vv € Children,, mode,,, = echo and colory, = color, ) 


/* and if “mirror technique” is applicable : see text. If node wu has */ 
/* some color (# 0), it should have observed neighbors’ colors, and */ 
/* neighbors should have observed wu’s color, detected by self-color,, */ 
and (color, # 0 => Vv € Nors(u) , 
nbr-color,, # undefined and self-color,, = color.) 
} 
then 
mode, — echo 
if (Sv € Children, | other-trees,, = true) then other-trees, — true 


Figure 5-5: Action DETECT-TREES,, 


NEXT-COLOR, 


/* If root, choose new color if necessary */ 
if (parent, = nil and mode, = echo and other-trees, = false) 


then 
Reset-Color,, (New-Color,,()) 


Figure 5-6: Action NEXT-COLOR, 
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EXTEND-ID, 


if (parent, = nil and mode, = echo and other-trees, = true) 
then 


Append-Entry,,() 
Reset-Color,, (New-Color,,()) 


Figure 5-7: Action EXTEND-ID, 


copy that color, and a “broadcast wave” propagates throughout 7. 


In a simple echoing scheme that does not need to take into account an adversarial scheduler, 
each node wu sets its direction to “echo” when all its children are echoing the same color (i.e. 
all children have the same color c as node u and have their mode set to echo). This is also 
part of our condition for echoing, which is tested in [J]. In this manner, an “echo wave” travels 


upwards from the leaves to the root. 


When the root r, notices that all its children are echoing its color c, it concludes that its 
entire tree is colored with c, and then changes its color (through action NEXT-COLOR, in 
Fig. 5-6). Its new color is a function of the previous color c: it alternates between 0 and a 
color randomly chosen from {1, 2, 3}. The rationale for the coloring sequence was described 


in Section 3. 


When a node is broadcasting some color (i.e., mode, = broadcast), it checks for the ex- 
istence of competing trees with the same ID. This check is performed in [C]. In the scheme 
for a non-adversarial scheduler, if a node observes that some neighbor is colored with a color 
different from its own (provided neither color is 0), it can correctly conclude that that neigh- 
bor belongs to a tree different from itself. If node uw detects such a competing tree, it sets its 
other-trees to true; the echoing mechanism conveys this information to the root of the tree 
(through statement [K]). If a root is thus informed of the existence of a competing tree (i.e. 


another tree with the same root ID), it attempts to break symmetry by extending its ID (action 
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Append-Entry,,() 
ID, — [Dy:2 
where x is an entry chosen by the Afek-Matias [AM89] scheme 


New-Color,,() 
if color, = 0 
then return color randomly chosen from {1, 2, 3} 
else return 0 


Reset-Color,,( color) /* reset local recoloring-related variables */ 
color, <— color 


mode, <— broadcast 
other-trees,, — false 
Vu € Nors(u) , 
nbr-color,, — undefined 
self-color,, — undefined 
Yo € Children,, , color,,, — undefined 


Children, : { v | parent,,, = u } 


Figure 5-8: Macros 


AT 


EXTEND-ID, Fig. 5-7). After extending its ID the root participates in the overrunning and 


recoloring processes all over again. 


However, this scheme of detecting duplicate [Ds (i.e. u is colored with a non-zero color 
different from that of some neighbor v implies that v is in a different tree) is not sufficient if the 
scheduler is adversarial. Consider the recoloring process operating on two neighboring trees 7 
and 7 having the same root ID, containing two neighboring nodes u and v respectively. We 
want our tree detection process to eventually let at least one of the trees detect this situation. 
However, the schedule could be manipulated by the adversary such that the two trees are never 
both colored with a non-zero color; the adversary could schedule steps such that always exactly 
one of the trees is colored 0 and the other is colored with a non-zero color. In such a schedule, 


the trees can continue the recoloring process indefinitely without ever detecting each other. 


An idea proposed in [AK Y90] modifies the scheme so that it can accomodate an adversarial 
scheduler. The idea is that when a node uw is colored with a non-zero color, it waits for each 
neighboring node to be colored with a non-zero color, and records this color individually for 
each neighbor v as soon as available, in the variable nbr-color,, (in [C]). Correspondingly, it 
waits till it observes that each neighbor v has observed its own color, by examining the variable 
self-color,,, which it copied from its neighbor. The test for this mirror-like scheme is part of 
the condition [J] for echoing. Section 7 shows that this scheme succeeds for the adversarial 


scenario described earlier. 
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Chapter 6 


Correctness and Complexity Proof 
for the Randomized Algorithm: 
Part 1 


The probabilistic automaton RSST implementing our randomized protocol was defined in Def- 
inition 5.2. We prove that RSST constructs a spanning tree within expected O(6) time, where 
6 is the network diameter. In this section we give some basic definitions and an overview of 


the proof. 


6.1 Spanning Trees 
We first define the states of RSST that define a spanning tree. 
Definition 6.1 For any s € states(RSST), 
e €(s) is the multiset of the node ids in s, i.e. 
&(s) = s.{ID,,,1D,,, 1Dy,,-.-, Dv, } 
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e Node w is a root in state s if s.parent, = nil. 


e The set p(s) is the set of root nodes in s, i.e. 


p(s) = {ue V | s.parent, = nil} 


e Node u is an ancestor of node v (u # v) in s if there exists a sequence of nodes 
{u, ty, Ue2,.. Uys v} such that parent, = U, parent, = U,.. -, parent, = Uj_1, parent, = 


Uj. 


e State s contains a cycle if there exists a node that is an ancestor of itself. 
e State s defines a forest if it does not contain a cycle. 


e State s defines a spanning tree if it defines a forest and |p(s)| = 1. a 


Let the set 
S = start(RSST) 


denote the set of start states of RSST. The set ST is defined as the set of states defining a 


spanning tree. Thus, 


ST = {s € states(RSST) | s defines a spanning tree} 


6.2. Overview of the Proof 


In this section we give an outline of the proof. We need to prove that departing from a state 


of S, the expected time to reach a state of ST is O(6). 


Our proof is divided into several phases, each one of which proves a property of making 


a partial time bounded progress toward a “success state”, i.e., a state of ST. The state sets 
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associated with the different phases are S, F’, F, C=, C', G, and ST. Here, 
F' = {s|s defines a forest} 


is the set of forest-defining states, and 


A l. v = s.parent, => s.(ID,, distance,) < s.(LDyy, distance, ) 
FH= <s | Vuv, 
2. v € Nors(u) = s.(LDyy, distance, ) < s.(1D,, distance, ) 


is a subset of the set of closed forest-defining states (this property will be shown in Section 


6.3). Thus, once a state of F is reached, the global state always defines a forest. 


To motivate the definitions of C=, C1, and G, we introduce the set 


&(s) = {u € p(s) | (Jv € p(s) | ID, < ID,)} 


of “candidate” roots in state s. This set plays a crucial role in maintaining progress of our 
algorithm. As mentioned in the description of the algorithm, root nodes compete for being the 
root of the eventual spanning tree. We show that the root of the eventual spanning tree must 
always be present in ® after time 2, and moreover, that ® can only shrink with time (and thus 


|| can never increase). These properties imply that if a state is in the set of “good” states 
G = {se F|(|®s)| =1)} 


then the root of the final spanning tree is uniquely determined. Let s be a state in F such that 
s ZG. Since |®(s)| > 1, for achieving progress we need to show that starting from a state in 
F, |®| is reduced to 1 (ie., a state in G is reached) in expected O(é) time. We do so using 


the intermediate state sets C= and C!. C= is defined as the set of states 


C= = {se F | Vu,v € 0s), ID, = ID,} 
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Proposition 6.11 


Proposition 6.12 


Proposition 6.24 


Proposition 6.49 


( ) 
( ) 
( ) 
(Proposition 7.80) 
( ) 
( ) 


Proposition 6.23 


Figure 6-1: Proof Phases 


in which the IDs of all candidate roots are equal. To define C', we first define subsets ®;(s) of 
® as follows: 


®,(s) = {u € O(s) | inLENGTH(ID,,) = 7} 


®;(s) is defined as that subset of ®(s) whose elements have IDs of a particular length 7. (The 
set ®,,(s) contains elements having IDs of length greater than 7; ®<,(s) is defined similarly.) 


We define the special subset 


),,,.(8) = {max(®; | ©; # 9)} 


as that subset of @ whose elements have IDs of maximal length. Finally, we are in a position 
to define C! as 
Cl = {seF| |,..(s)] = 1} 


ie., C' is the set of states in which there is just one element in © whose ID is of maximal 


length. 


Having defined the relevant state sets, we now formally describe the phases of our proof; 


they are summarized in Figure 6-1. 


The first statement states that starting from a start state, a forest-defining state is reached 


within time 3; the second statement states that once a forest-defining state is reached, the 
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state always defines a forest. The last statement states that once a “good” state is reached, 


within time 26 the state defines a spanning tree. 


By combining the statements above using Theorem 2.11 and Corollary 2.12, we obtain 


£ 816+36 G 


0.025 


and consequently 
836-439 
S 500s ST 


Using the results of the proof summary above, we can derive an upper bound of O(diameter ) 


on the expected time required to reach a state of ST starting from a state of S. 


Theorem 6.2 Under any fair adversary, starting from any start state, the automaton RSST 
that implements our randomized self-stabilizing spanning tree algorithm reaches a state defining 


a spanning tree within expected O(6) time. 


Proof. Departing from a state in F, RSST reaches a state in G in time (at most) 816+36 
with probability at least 0.025. Consider an execution of RSST starting from a state s in 
F, and consider successive epochs of duration 816+36. In the first epoch, the probability of 
attaining membership in G (“success in the first epoch”) is at least 0.025. Since F is closed, 
the probability of success in every such epoch is at least 0.025. Hence, the expected number of 
epochs needed to attain success has an upper bound of [1/0.025], or 40. Hence, starting from a 
state in F, the expected time taken to reach a state in G has an upper bound of 40 «(816+ 36), 
which is O(6). Since S =. FandG 26 ST, the expected time to reach a state in ST starting 


from a state in S is O(6). = 


We now proceed with the details of the proof, i.e. the proofs of the probabilistic statements 
given above. Let A € Fairadvs be a fair adversary for RSST. Let z € S be an arbitrary starting 
state. Let H denote the execution automaton H(RSST,.A,z). Let a’ denote an execution of 


Hf, and let a be the corresponding execution a’| of RSST. 
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In Section 6.3, we prove the statements S ~, F,F — fFo,F 28, C=UCt, and G 28, ST. 


The statement C= reas C' is proved in Section 7, and the statement C! 24, G is proved in 


Section 6.4. 


6.3. Stabilization of Forest Structure, Candidate Root Proper- 
ties 


In this section we prove the statements S 3, F,F — Fo, F 28, C= UCI, and G 28, ST. 


6.3.1 Forest Structure - Establishment and Preservation 


Each node v maintains an “opinion” of the values of the shared variables of its neighbors in 
its own local variables. Claim 6.3 states that after time 1, this “opinion” must have actually 


been read from the neighbors, i.e. it is no longer arbitrarily set in the start state. 


Claim 6.3 For any s such that s.now > 1, s.VAR,, = 8’. VAR, for some s’ preceding s in a, 
where VAR is one of {ID, distance, parent}. 


Proof. Within time 1, node wu will have performed COPY-NBRS,, for all neighbors v, and 


hence will have read the local variables of all its neighbors at least once. | 


Claim 6.4 and Lemma 6.5 show that the priority (defined as the tuple ([D,distance)) of a 
node cannot decrease (in terms of the order < defined on priorities; cf. Definition 5.1); if it 


changes, it can only increase. 


Claim 6.4 For any step (s, EXTEND-ID,,(Q,%, P)) of RSST, for any state s’ € Q, 
s.ID,, <8! ID. 


Proof. Follows directly from Proposition 4.4(1). = 
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Lemma 6.5 For any step (s,a,(Q,%,P)) of RSST, for any s' €Q, 
s.(ID,,, distance,) < s'.( ID, distance, ). 


Proof. The only actions which change (JD, distance,) are MAXIMIZE-PRIORITY,, and 

EXTEND-ID,. If MAXIMIZE-PRIORITY, is executed, only statements [F], [G] and [H] 
are capable of changing (1D, distance,,). Let the “intermediate” value of /D, after executing 
statement [F] be J; then s.JD, <I. If [G] is executed, the value of (1D,, distance, ) cannot 
decrease, because of the direction of the precedence test. [H] leaves ID, intact and sets 
distance, to 0; thus s.1D, <I = s’.ID, and s.distance, > s'.distance,, and so the priority 
(ID,, distance, ) cannot decrease. By Claim 6.4, EXTEND-ID, increases [D,, and therefore 


increases the priority (ID,,, distance, ). a 


Corollary 6.6 For alls and s' such that s precedes s' in a, 


s.(ID,y, distance, ) < s'.( ID, distance, ). = 


Since priorities do not decrease, then, by Claim 6.3, priorities as observed by neighbors do 


not decrease: 


Corollary 6.7 For any node u, any v, the value of (IDy,, distance,,) cannot decrease after 


time 1. | 


We now establish that in any execution, any state after time 2 belongs to the set F, and 


thus defines a forest. 


Lemma 6.8 For all s such that s.now > 2, each node u obeys the priority invariant: 


(parent, = v) = > (ID,y, distance, ) < (IDuy, distance y, ). 


Proof. Consider any node u which is a child of node v in some state s such that s.now > 2; 
thus s.parent, = v. Node w last executed the statement (parent, — v) in [G] at some step 
(s;, MAXIMIZE-PRIORITY,,52), where (s.now — 1) < sy.now < s.now. By [G], we have 
89.(ID,,, distance,) = 8,.([Dyy, distance,, + 1). Since s; precedes s in a and s,;.now > 1, by 
Corollary 6.7, 5;.(1Du, distancéy,) < s.(IDyy, distance,,). Hence, we have: 
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s.(ID,,, distance,) = 89.(ID,,, distance, ) 
= 8,.(IDuy, (distancey, + 1)) 
K 84. (LDyy, distance yy ) 


<8. (Duy, distancey, ) 
Hence s.(ID,,, distance,) < s.(LDuyy, distancey, ). | 


Corollary 6.9 For all s such that s.now > 1, for any node u and any v € Nors(u), 
s.([Dyy, distancey,) < s.(1D,, distance, ). 


Proof. Let the last COPY,, step executed by w be (s;,COP Yuu, 52). Then s.((Dy,, distance,,) = 
89.(IDy,, distancey,) = 8,.(1D,, distance,). Since s, precedes s in a, by Corollary 6.6, 
8,.(ID,, distance,) < s.(ID,, distance,). Hence s.(1Dy,, distancey,) <s.(1D,, distance,). 


Corollary 6.10 F C F’. 


Proof. Let s € F. By the definition of F, for any u, v such that v = parent,,, s.([D,,, distance, ) 
< s.(ID,, distance,). Since each node must have a strictly lower priority than its parent, s 


cannot contain a cycle. a 
Proposition 6.11 S > Ff. 


Proof. Immediate from Lemma 6.8 and Corollary 6.9. | 


Proposition 6.12 7 —> F 


oO 


Proof. Let (s,a,(Q2,%,P)) be a step of RSST. Let s € F, and let s’ € 2. We need to show 
that s‘ € F. Recall the definition of F: 


l. v = s.parent, => s.(ID,, distance,) < s.(LDyy, distance, ) 


SS 
[lb 


s | Vu,v, 
2. v € Nors(u) = s.(LDyy, distance, ) < s.(1D,, distance, ) 
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The only variables that determine membership in F are parent, ID, and distance (both local 
and shared copies). Thus the only actions that can change membership in F are COPY, 
MAXIMIZE-PRIORITY and EXTEND-ID. 


Case 1 a = COPY,,. 


The only relevant effect is that s’.(1Dy,, distance,,) = s'.(ID,, distance, ); thus predicate 
2 of the definition of F holds for u. If v = parent,,, then 
s'. (ID, distance,) = s.(ID,,, distance, ) 
<  s.(IDy,, distance,,) (since s € F) 
<8 (ID, distance,,) (by Corollary 6.7) 
Hence s’.(1D,, distance, ) < s8’.(I[Dy,, distance,,), and predicate 1 holds. Since no other 


node predicates are affected, s’ € F. 


Case 2 a = MAXIMIZE-PRIORITY,. 


The only variables set are [D,,, distance,, and parent,, so we only need to check that 
in state s’, wu satisfies predicate 1, and that all neighbors of wu satisfy predicate 2. Ei- 
ther statement [G] or [H] of MAXIMIZE-PRIORITY, must be executed. If [G] is 
executed, s’.(1D,,, distance,) = s'.( ID y1, (distance,; +1)) < s'.Dui, distance,;), where 
| = s'.parent,. Hence wu satisfies predicate 1. If [H] is executed, wu trivially satisfies 
predicate 1 in s’. For any v € Nors(u), 
8 (IDyy, distancey,) = 8.([D yy, distance, ) 

< s.(ID,,distance,) (since s € F) 

<  s'(LD,, distance,) (by Corollary 6.6) 
Thus any neighbor v satisfies predicate 2, and hence s’ € F. 


Case 3 a = EXTEND-ID,. 


If 1D, is extended, u € p(s’), so wu trivially satisfies predicate 1 in state s’, and since 
& € F, u satisfies predicate 2 in s’. By an argument identical to that for Case 2, all 


neighbors v of u also satisfy the predicates, and so s’ € F. | 
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Henceforth in the proof, for all states mentioned we will assume that s € F. 


Thus each state under discussion defines a forest. 


We now show that the set of root nodes p(s) can only diminish with time—a root may 


become a nonroot, but not vice-versa. 


Lemma 6.13 p(s’) C p(s) for all s,s’ such that s’ follows s in a. 


Proof. Suppose not, i.e. suppose du such that u € p(s’) but u ¢ p(s). Then s’.parent,, = nil 
and s.parent, # nil. Hence there must exist a step (ss, MAXIMIZE-PRIORITY,,,s4) in a, such 
that s3.parent, # nil, s4.parent, = nil, and [H] was executed in MAXIMIZE-PRIORITY,. 
Let s3.parent, = v. From the test that causes [H] to be executed, 53.([Dy,, distance, ) 


< 83.(1Dy, distance, ). (Note that since s3.parent, # nil, [F] was not executed in this step.) 


But since s3.parent,, = v, there must exist a preceding step (s;, MAXIMIZE-PRIORITY,,s2) 
in which (s9.(/D,, distance,) = 53.(1D,, distance,)) and parent, was set to v. Since [G] was 
executed in this step, so.([Dy,, distancéy,) > 82.(1Dy, distance, ). By Corollary 6.7, 
83.(IDy,, distancey,) > 82.(IDuy, distancey, ). 


Hence s3.(1Dy,, distance,, ) > 83.(1D,, distance, ), which contradicts the earlier assertion. 


6.3.2 ID Overrunning Properties 


We now show that nodes must “learn” about “high” IDs existing in the network within 26 
time—the smallest ID in the network after time ¢ + 26 is at least as large as the highest ID at 


time ¢. In this sense, high [Ds “overrun” lower IDs. 


Lemma 6.14 Let Dist(u,v) = d. For any state s, there exists a state s' following s such that 


s'.now < s.now + 2d and s'.(ID,, distance, ) >> s.(1D,y, (distance, + d)). 


Proof. By induction on d. 
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First, let d = 0. u is the only node a distance of 0 from itself. Substituting d = 0 in the 


statement, it can be seen to be trivially true (s’ = s). 


Now for the inductive step, for any node v such that Dist(u,v)=k, assume that there exists 


s’ such that s’.now < s.now +2k and s'.(ID,, distance,) >> s.(ID,, (distance, +k)). Consider 


a node w such that Dist(u,w) = k +1. We need to show that there exists s” such that 


s" now < s.now + 2(k +1) and s”.(ID,, distance,,) >> s.(ID,, (distance, + k + 1)). 


Node w must then have a neighbor v such that Dist(w,v)= k. By the inductive hypothesis, 


there exists a s’ such that s’.now<s.now + 2k and s’.(ID,, distance,) >> s.( ID, (distance, + 


k)). 


Now there must exist a step (s;,COPY,,, 52) at some time after (s.now + 2k) and upto 
(s.now + 2k + 1), since our adversary must allow w to execute every action in every unit of 


time. Since s;.now > s’.now, by Lemma 6.5, s,.(1D,, distance, ) >> _ s'.(ID,, distance, ). Hence 


8,.(1D,, distance, ) >> s.(IDy, distance, +k). Hence s.( LDy,, distance.) > 
s.(ID,,, (distance, + k)). 


There must exist another step (ss, MAXIMIZE-PRIORITY,,, s”) at some time after (s.now+ 
2k+1) and upto (s.now+2k+2). By Claim 6.7, s3.(((Dwy, distanceyy) > 52.(ID wy, distance, ). 
After statement [E] of MAXIMIZE-PRIORITY,,, (Dw 1, distancey:) => (Duy, distance, ). 
Either statement [G] or [H] must be executed. If [G] is executed, s”.(1D,,, distance, ) 
= 83.(ID yr, (distance; +1)) > s83.(LDwe, (distancey, + 1)) > 89.(IDwy, (distance, + 1) 
> _ s.(1D,y, (distance, + k + 1)). Hence there exists s” such that s”. now<(s.now + 2k +2) and 
s" (IDy, distance,,) >> s.( ID, (distance, + k + 1)). 


If [H] is executed, let the intermediate value of [D, after executing [F] be J. Then, since 
[H] is executed, s”.(1D,,, distance, ) = (1,0) 
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> CU, s3.distance, ) 

> 83.(LDw1, distancey) 

> 83. ID yp, distancey,) 
> s9.(IDyy, distance y,, ) 

> s.(LDy, distance, +k) 

> s.(ID,, distance, + k + 1). 


Corollary 6.15 Let Dist(u,v) = d. For any state s, for all states s' such that s'.now > 


(s.now + 2d), s’.(ID,, distance,) >> s.(ID,, distance, + d). 
Proof. Immediate from Lemma 6.5 and Lemma 6.14. a 


Corollary 6.16 Let Dist(u,v) = d. For any s, there exists s' following s in a such that 


s'.now <s.now + 2d and s'.ID, > s.ID,. | 
Definition 6.17 (MAXID) Given a state s € C=, s.MAXID = max(€(s)). 


Corollary 6.18 For any s, there exists s' following s in a such that s’.now < s.now+26 and 
Yu € V, 8’ ID, > s.MAXID. For alls” such that s”.now > s.now + 26, s”. ID, > s.MAXID. 


6.3.3. Candidate Root Properties 


We first state a very important property of the set ®(s). In effect, the ID of each root in ®(s) 
is a prefix of the highest such ID. 


Observation 6.19 For any s and any u,v € ®(s), 


1. IDLENGTH(s.ID,,) < IDLENGTH(s.ID,) => s.ID, < 8.IDy. 
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2. IDLENGTH(s./D,,) = IDLENGTH(s.JD,) => s.1D, = s.ID,. 


Proof. If u,v € ®(s), by the definition of ®(s), it cannot be the case that ID, < ID, or 
ID, > ID,. Hence ID, = ID,, or ID, < ID,, or ID, + ID,. Hence 1nLENGTH(s.ID,) < 
IDLENGTH(s.JD,) must imply ID, ~ ID,, and IDLENGTH(s.JD,) = IDLENGTH(s./D,) must 


imply ID, = ID,. 7 


Consider any root node r. The following lemma states that as long as r stays a root, its 
ID can only change by extension (only by invoking the call Append-Entry() through actions 
MAXIMIZE-PRIORITY, or EXTEND-ID,). 


Lemma 6.20 Let s,s’ be any states such that s’ follows s ina. 


If r € (p(s) 1 p(s’)), s.LD, < s'ID,. 


Proof. Consider a node r € (p(s) M p(s’)). Let a; be the execution fragment sa,s,...a;s'. If 
there exists a state s; € a, such that r ¢ p(s;), then r ¢ p(s’) by Lemma 6.13. Hence r € p(s;) 


for every state s; in ay. 


Hence for every step (s;,a,(Q, 4, P)) in a1, for every state s; in Q, s;.parent, = s;.parent, = 
nil. Thus in action a, statement [G] of MAXIMIZE-PRIORITY,. could not have been executed. 
Hence the only way /D, can change is through the call to Append-Entry(), made by [F] of 
MAXIMIZE-PRIORITY,. or by EXTEND-ID,. By Proposition 4.4(1), for every such s; and 


s;, 1D, x s;.1D,. By transitivity of x , it follows that s./D, x s' ID,. | 


The following is a crucial property of our algorithm. To ensure fast progress, we want 
to ensure that if a root r,; has an ID that is smaller than that of another root rz, then the 
relationship will stay that way, even if the two roots never communicate directly. We can 


ensure this only if r2’s ID is higher in the strong sense. 


Lemma 6.21 For all s,s’ such that s’ follows s in a, 


if 1.72 € (p(s) A p(s’), 8(IDpy < IDy2) => 8'(ID- < IDy2). 


61 


Proof. Immediate from Lemma 6.20 and Proposition 4.4(5). = 


We now show that the set ® is the set of roots that have a chance of “surviving” - a root 
not in this set cannot be the root of the final spanning tree, and will definitely be overrun by 
some other tree. We now have a “competition” between roots in the forest. The “winner” of 
the competition will be the root of the eventual spanning tree. The set ® is the set of roots 
still in the fray; all other roots have “lost” and will be overrun. All roots change their [Ds only 
by extension (unless they cease to be a root), and by changing their ID they may lose their 


membership in ®. 
Lemma 6.22 For all s,s such that s' follows s ina, ®(s') C ®(s). 


Proof. Suppose not. Then there exists a node r such that r € ®(s’) but r ¢ ®(s). Since 
r € p(s’), by Lemma 6.13 r € p(s). By the definition of ®(s), there exists some node q € ®(s) 
such that s./D, wo s.1ID,. But by Corollary 6.6, s.1D, < s’.1D,. Hence by Proposition 4.4(3), 
s.ID, = s’. ID,. By Lemma 6.20, s.ID, < s'.ID,. Applying Proposition 4.4(4), ‘ID, x s' ID,. 


Thus r ¢ ®(s’), contradicting our earlier supposition. | 


Proposition 6.23 states that if in some state s the set ® has just one member, a state 3s’ 


defining a spanning tree is reached within 26 time. 
eis 26 
Proposition 6.23 G — ST 


Proof. Let s be a state in G. By Corollary 6.18, there exists a state s’ following s such that 
s’.now <s.now + 26 and for all u € V, s’.JD, > s.MAXID. 


We have |®(s)| = 1; therefore, a unique node r has the maximum ID in s. Consider any 
node q # r in p(s). By definition of ®(s), s.ID, ~ s.ID,. Now if q € p(s’), by Lemma 6.20, 


s.ID, x s'.ID,, which implies s’.ID, x s.ID, by Proposition 4.4(4). But this contradicts our 


q? 
choice of s’, since s’ was chosen such that s’.[D, > s.1D,. Thus any node q # r in p(s) cannot 


be in p(s’). Since p(s’) C p(s) by Lemma 6.13, it follows that p(s’) = {r}, and sos) EST. 
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Proposition 6.24 F 26, c=uUCc! 


Proof. Let s € F. Consider any execution @ = 841,514 952...; let p = s.MAXID. By Corollary 
6.18, there exists a state s, following s in a such that s,.now < s.now + 26, and for allu € V, 
&,.1D,, = pw. Consider the execution prefix a, = sa,5,a,...8, of a. We show that there must 
exist some state s’ in a, such that s’ € C= UC". For all u in ®(s;), s,.LD, = ye. Consider the 


following mutually exhaustive possibilities for ®(s; ): 


Case 1 For all u € ®(s;), s,.[Dy = pu. 


Then s, € C-, and we are done. 


Case 2 For some u € ®(5;), 84-IDu ~ jl. 


Since ®(s,) C ®(s), by Lemma 6.22, s;,.1D, Sy for some u € ®(s). Since each step in 
a changes at most one ID, and since s.JD, < p for all « € ®(s), there must exist some 
state s’ in a such that there is exactly one node v € ®(s) for which s’.JD, = yu. Since 
®(s') C &(s) by Lemma 6.22, v is the only node in ®(s’) such that s’.JD, = yu. Hence 


ID, = max Dw), which implies that v € ®,,.(s’). There cannot exist another 


weP(s! 
node w € ®,,_(s’), since that would imply that s’./D, = s’.[D,, which would violate our 
assumption that v is the only node in ®(s’) such that s’.JD, ~ pi. Hence |®,,,.(s’)| = 1, 


and so s’ €C!. 


Case 3 ID, > for all w € ®(s,), and there is at least one node u € ®(s;,) such that 
s,-1Dy > [- 
Since ®(s,) C ®(s), by Lemma 6.22, there is at least one node u € ®(s) such that 
&,.1D,, _ pi. Since each step in a changes at most one ID, and since s./D, < p for all « € 
(s), there must exist some state s’ in a such that there is exactly one node v € ®(s) for 
which s/.JD, > pu. There cannot exist a node w € ®(s) such that s’.[D, fi, since that 
would imply by Corollary 6.6 that s,.1D, = s’.JD, and hence by Proposition 4.4(3) that 


&,-1D ~ pt, which contradicts our assumption that s,./D, “ uw for all u € ®(s,). Thus 
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for all uw other than v in ®(s), s’ ID, < ji. Thus ®,,.(s’) = {u}; hence |®,(s’)| = 1 


max 


and s’ €C!. | 


6.4 The ID-forcing Proposition 


In this section we prove the statement C! 26, G, i.e., starting from a state in which there 
is only one candidate of maximal ID length, within 2é time, with probability at least 0.11, 
we reach a “good” state—a state in which there is just one candidate. This is a substantial 


progress property, since if a state is “good” then within 26 additional time we reach a state 


defining a spanning tree. 


Let s be a state in C', and let H be the execution automaton H(RSST,A,s). Let @’ be 
a maximal execution of H, and let 6 = 8'| = sa,s,ay8)... be the corresponding execution 
of RSST. Let J,,;, denote Min, ¢@,)(IDLENGTH(s.ID,,)), and let lar be defined analogously. 
Thus all nodes in ®(s) have ID lengths between Imin and Uinax. Let pp = s.MAXID, and let r 
be the unique element of ®(s) such that s.JD, = pu. (Since s €C', r is unique.) Thus r is the 


unique candidate root in s having the maximum ID length [,,,,.. 


By the ID overrunning property, Corollary 6.18, there exists a state s, following s in § 
such that s,.now < s.now + 26 and for all u € V, s,.1D, > ps. Let 5, be the first such state in 


GB. Let G, be the execution prefix sa,5,d259... Sp. 


We will use these definitions of s, s,, 8, 31, lminy lmax, fb, and r throughout the rest of this 


section. 


We first give some basic definitions and observations related to these definitions. 


Definition 6.25 (Competitive and dominant nodes) Let H, s, 8%, 4, 3 and (3, be as 


defined above, and let 7 < [njg,-. Then, 


e Node u is competitive at the i‘ position in 3, if there exists s’ € 3, such that u € p(s’) 


and s’./D,[1..2] = p[1..2]. 
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e Node wu is dominant at the i‘” position in 3, if there exists s’ € 3, such that u € p(s’), 
s' ID, [1..4— 1)] = p[l..@- 1)], and s’.ID,[7] > pt]. Node u is dominant before the i” 


position in 3, if there exists a 7 <2 such that u is dominant at the 7” position. 


We now state some observations arising from the above definitions. The first property 
states that competitiveness and dominance of a node at a particular position are mutually 


exclusive: 
Claim 6.26 A node u cannot be both competitive and dominant at the t'” position, for any %. 


Proof. Suppose u is competitive and dominant at the 7” position in 3. Since it is competitive, 
there exists s’ € 3 such that u € p(s’) and s’.JD,[i] = ult]. Since it is dominant, there exists 
s” € 8 such that u € p(s”) and s”.ID,[t] > ult]. Clearly, s’. 1D. [2] 4 81D, [2]. 


Now s’ must either precede or follow s” in 8. If s’ precedes s”, Lemma 6.20 implies that 
8 ID, x 8". ID,, which implies s’.[D,[i] = s”.1D,[i], which is a contradiction. Similarly, the 


other case, s’ follows s”, leads to the same contradiction. | 


Claim 6.27 If a node u is either competitive or dominant at the i” position in 3, it is com- 


petitive at the j*” position for all j < i. 

Proof. Straightforward from Definition 6.25. | 
Claim 6.28 If a node u dominant at the i'” position in B, it cannot be competitive at the j'” 
position for any j > 1. 


Proof. Follows directly from Claims 6.26 and 6.27. | 


Claim 6.29 Any u € ®(s) is competitive at the [‘*. position in B. 


Proof. By the definition of 4, and by Observation 6.19, s. 1D, < pi, and further, IDLENGTH(s./D,) 


> Imine Hence s.fDy[1.-Lnin] = w[1--Lmin|- | 
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Corollary 6.30 No node u € ©(s) is dominant before the (lmin +1)" position in B. 


Proof. Follows directly from Claims 6.28 and 6.29. | 


Definition 6.31 (Competitive and dominant executions) Let A, s, s;, 4, 3 and , be 
as defined above. Then, 


e Execution 3 is competitive at the i” position if no node is dominant before the (¢ + 1)” 


position. 


e Execution ( is dominant at the i** position if no node is dominant before the i” position 


and there exists u € ®(s) such that u is dominant at the 7’” position. a 


Claim 6.32 An execution 3 cannot be both competitive and dominant at the i” position, for 
any t. 


Proof. Follows directly from Definition 6.31. | 


Claim 6.33 Let i < Inar. If 3 is competitive at the i" position, it is either competitive or 

dominant at the (i +1)" position. 

Proof. Since 3 is competitive at the 7 position, no node is dominant before the (7 + 1)™ 

position. If some node is dominant at the (¢+1) position, 3 is dominant at the (¢+1)' posi- 

tion. Otherwise, no node is dominant before the (i + 2)" position, and hence ( is competitive 

at the (¢ + 1)‘ position. = 
Having described competitive and dominant executions, we now define the corresponding 


events of H. 


Definition 6.34 (Competitive and dominant events) Let H, s, and s;, be as defined 


above. Then, 


e The event eli] “competitiveness at position 7,” is defined as 


eli] S {Be OF | 3 is competitive at the i” position } 
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e The event elt] consists of those executions in eli] in which exactly 7 nodes in ®(s) are 


competitive at the 2” position. 


b) 


e The event el “dominance at position 2,” is defined as 


ell] S {te OF | 3 is dominant at the 2‘ position} 


e The event eg is defined as a subset of the set of executions in which a state in G is reached 


within time 26; in particular, 
cg © {81 € 7 | (3) € 9} 


We now state some important properties of events. 


Claim 6.35 eli] = Jeb. 


jal 
Proof. From the definitions (recall that n is the size of the network). a 
Claim 6.36 For any? < [nar, eli] al ell] = >. 


Proof. Follows from Claim 6.32. | 


Claim 6.37 For any i < (Imac — 1), ett ltt Cc ef, 


Proof. Follows from Definitions 6.34 and 6.31. a 


Claim 6.38 For any i < (Imac — 1), el = i, 


Proof. By Claim 6.37, elit U elit e elf], By Claim 6.33, eli] e elit U ett, Hence follows. 


Claim 6.39 OF = climin] 
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Proof. Consider any execution JT € OF- From Corollary 6.30, it follows that @ is competitive 


at the [. position. = 


Claim 6.40 O77 = ere U lv] y clo FT low y ellnee 1, 


Proof. We have, 


— [I min] . 
QF = €c (Claim 6.39) 
= peu eter (Claim 6.38) 
= elimina t] U cllmin #2] U cllmin #2] (Applying Claim 6.38 again) 
= clint U cline #2] U...U cline“ U cline ~1 (Inductively applying Claim 6.38) 


Note that Claim 6.40 defines a partition of OFF. 


Definition 6.41 Node u flips at the i” position in 3, if in 3, there exists a step (s’,a, s”) such 


that in a, u makes a call to Append-Entry which appends an entry to JD, at the i*” position. 


Lemma 6.42 Let 3 € eli] For any u € ®(s), if IDLENGTH(s.ID,,) < i, and if u is competitive 


at the i‘ position in 3, then u flips at the (i+ 1) position in 8. 


Proof. Consider 6, = sa ,s,d2...8,. Since u is competitive at the 7” position in 3, there 
exists a 5s; € 2 such that u € p(s;) and s;.1D,[1..1] = p[l..i]. Also, by the definition of s,, 
51D, = p. Now, by Lemma 6.20, [D, can only change by extension in sa,5,@2...5,, s0 we 


can choose s; such that s;.1D, = p[1..2]. 


Consider the suffix of the execution that starts with s;. The only way JD, can change 
between s; and s; is by executing calls to Append-Entry or by executing statement [G]. If 
Append-Entry is performed first, an entry is appended at the (+1) position, so we are done. 
If [G] is executed, there exists a node / such that [D,; > ID,. By Claim 6.3, ID,; = ID, for 
some preceding state. Since 9 € eli] lis not dominant before the (i+ 1) position, and hence 
ID,[1..i] = pl1..i]. Hence 1D, ~ ID,,1, and so the call to Append-Entry in [F] must have been 


executed first, in which case u would have flipped at the (¢+ 1) position. | 
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[é,1] 


Lemma 6.43 For any it < Imax, €@ © €g- 


Proof. If 6 € el no node is dominant before the (¢ + 1)'" position, so for any u € ®(s,), 
s, ID, [1..i] = pfl..7]. But then any such node is competitive at the i” position, and there is 


only one such node, since 3 € ce), Hence |®(s,)| = 1, and so s, € G. a 


We now list, without proof, some basic results of conditional probability: 


Proposition 6.44 Let A, A;, B, B;, and X be events on a sample space. Then, 
k 
1. If A= |J Ai, then P(X | A) > min; P(X | Aj). 


i=1 


k 
2. If AC J Aj, then P(X | A) > min; P(X | An A;). 
i=l 
k k 
3. Let UJ A, CA. If PU A;)| A) = p, and if P(X | A;) = p;, then 
gal i=l 
P(X | A) > px min;{p;}. = 


Lemma 6.45 For any i such that (min +1) <t<lnax and any j > 1, Pleg | ell] a elt 1]) > 
1/2. 


Proof. Consider any execution 3 € ell] N cil, Since B € cit, there are 7 nodes com- 


petitive at the (i — 1)" position. Of these 7 nodes, there are exactly |®,(~1)(s)| nodes u 
such that IDLENGTH(s.JD,) > (i— 1), and consequently k = 7 — |®,(;-1)(s)| nodes such that 
IDLENGTH(s.JD,) < (¢—1). Thus by Lemma 6.42, each of these & nodes must flip at the 7‘ 
position. Hence , *,, describes the sample space corresponding to these k flips. If 3 € elf 
there exists a flip higher than p[2]. If exactly one of these flips is the highest, then { € eg. 
Thus, 

Pleg | eine’) > Pa (UNIQH | (Highest > pl[i])) > 1/2, 


by Theorem 4.2. | 


Theorem 6.46 For any i such that (min + 1) <i < Imax, Plég | ell) > 1/2. 
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Proof. We have lil Cc ett by Claim 6.38. Thus by Claim 6.35, 


which implies, by Proposition 6.44(2), that 
Pleg | eh) > min Peg | ely eb), 
j 


Since by Lemma 6.45 P(eg | ell pn et ba) > 1/2 for all 7, it follows that P(eg | ell] >1/2. = 


Lemma 6.47 For any j > 1, P((eRre! U elim 4) | ellme I) > 0.29. 


Proof. Consider any 3 € climes 1d). There are 7 nodes competitive at the (nar — 1)" position; 


of these, IDLENGTH(s.JD,) > lmnac — 1 for exactly one node r, and thus IDLENGTH(s.ID,,) < 


th 
max 


lmac— 1 for exactly (7-1) nodes u. Thus by Lemma 6.42 these (7-1) nodes must flip at the / 


position in @, and the sample space , ir describes these flips. The event climes] is equivalent to 


the event (Highest > p[lmax]). The event cline is equivalent to the event (Highest < pt[lmax]), 


[th 


since one node r is already known to be competitive at the /7,,, position. Thus, 


P(e U ecm) | ebm) = Prin (Highest # pi[lmar]) > 0.22 


by Theorem 4.3. | 
Theorem 6.48 P(eg | 7) > 0.11 


Proof. Consider the event cline hd] 


By Lemma 6.47, P((ely! U elim) | elise!) > 0.22. Thus, we have 
P( (elmer) an elmer —1]) U (Ca an elmer —1]) | lime ti) > 0.22 


Also, by Lemma 6.45, 
Pleg | elmer] a ellmes—1d]) > 1/2 
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and by Lemma 6.43, 
Pleg | (ecm negte'))) = 1. 


Hence applying Proposition 6.44(3), we have 
P(eg | em) > (0.22)(1/2) = 0.11. 


Now by Claim 6.35, climes = UJ climes 14]. Thus by Proposition 6.44(1), 


Pleg | ime") > min Pleg | elm '}) > O11. 
j 


Proposition 6.49 P(eg | OF) > 0.11, or equivalently, C1 26, G. 


Proof. By Claim 6.40, OF = ellmin +1] U elmin + U ellmin +3] U...U elmer —1] U limes 1) By Theorem 
6.46, Pleg | eli) > 1/2, and by Theorem 6.48, P(eg | climes 1) > 0.11. Hence applying 
Proposition 6.44(1), 


Plég | elimina t] U cllmin #2] U...U climes U ellmar 1) 


Pleg | QF7) 


IV 


min(1/2,1/2,...,1/2,0.11) 


= O11 
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Chapter 7 


Correctness and Complexity Proof: 


Part 2 — The Coloring Algorithm 


In this section we prove the Tree Detection Proposition, C= reas C* (Proposition 7.80). Thus, 
starting from a state in C=, within time 776 + 36, with probability at least 2/9, we reach a 
state in which only one candidate has the maximal ID length. This is the “tree detection” 
property—if, in some state, all root nodes in the network have equal IDs, then, because of the 


coloring, the competition makes “progress” within expected O(6) time. 


The overall strategy of the proof is as follows: We first show, in Lemma 7.1, that starting 
from a state s € C=, any execution fragment a must remain in C= until a state in C? is 
reached. Thus, to show the partial progress properties of the coloring algorithm, we consider 
an execution fragment a, in C~. Next, in Section 7.1, we show that within time 26+ 1 in a,,a 
state defining a “stable forest” is reached. (We denote the set of states defining a stable forest 
by Cp.) Let a, be any execution fragment in C5». The graph of parent pointers remains 
fixed in CZ; the network can thus be visualized as a collection of “fixed” trees over which the 


coloring algorithm runs. 


When a state in CG, is reached, the coloring variables (i.e., color, mode) may be in an 


inconsistent state—normal “broadcast” and “echo” waves (cf. Section 5.1) may not be able to 
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commence immediately. Section 7.2 shows that within time 176+ 7 in az, a state is reached in 
which the coloring variables become consistent. (Cy is the state set consisting of such states.) 


The coloring algorithm can proceed normally in any execution fragment a3 in Cyc. 


Let ag be a fragment in Cy. For any tree T,., a3 can be partitioned into coloring epochs for 
T,. In each coloring epoch y in CF-, the root color is propagated to all nodes in T, (through 
a “broadcast wave”), and the root waits for all nodes in its tree to echo before choosing a new 
color and initiating the next coloring epoch. If a node with a non-zero color in some tree T 
notices that a neighbor has a non-zero color different from its own color, it sets other-trees 
to true, and this information is propagated to its root. (It is “piggy-backed” on the “echo 
wave”; its ancestors successively set their other-trees to true while echoing.) After a root sets 


other-trees to true, it extends its ID, thus reaching a state in C!. 


As discussed in Section 5.1, when a node receives a new non-zero color it waits until 1) 
it has observed a non-zero color for each of its neighbors, and 2) each neighbor has observed 
its own color. Section 7.2.2 and Lemma 7.61 show that a node cannot be “blocked” by its 
neighbors in this fashion for more than 106+ 5 time. Based on this result, a coloring epoch 
cannot last more than 136+6 time. (Note that the individual node “waits” are not dependent 


on each other; they can overlap.) 


Each coloring epoch in Cy gives a tree at least one “opportunity” to detect neighboring 
trees, and each epoch lasts at most 136+ 6 time. Section 7.3 formalizes this notion. If 7 and 
T are neighboring trees, we show that starting from a state in Cy, at least one of the two 
trees must detect the existence of the other within time 586 + 28, with probability at least 2/9. 
When this information is conveyed to the root of the “noticing” tree shortly thereafter, that 
root extends its ID, and a state in C* is reached. Since the total time elapsed starting from a 


state in C= would then be 776 + 36, the Tree Detection Proposition (Proposition 7.80) follows. 


We now proceed with the details of the proof. 


Lemma 7.1 Let a = s9a,5;...5, be an execution fragment of RSST, and let 85 € C=. Then, 


unless a state in C! is reached in a, the following conditions hold for all states s in a: 
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1. s€C™ 
2. &(s) = B(so) 


3. s.MAXID = s5.MAXID. 


Proof. Consider any step (s,a,s’) such that s € C=. Since C= C F, by the definition of F, 
81D, ~ 8.MAXID for every u,v. Let u be the node executing action a. Then there exist two 


possibilities: 


Case 1 u ¢ ®&(s). 
Then u ¢ ®(s’) by Lemma 6.22, and since all other IDs are unchanged, (1) s’ € C=, (2) 
(s') = ®(s), and (3) s’.MAXID = s.MAXID. 


Case 2 wu € ®&(s). 
Then uw must be in p(s’), since otherwise w must have executed statement [G] in MAXIMIZE- 
PRIORITY,, which would imply that there exists a node / such that s.JD,,)> s.JDy,, 
which is impossible since s € F and s./D, = s.MAXID. Thus by Lemma 6.20, s./D,, x 8 ID,. 
If s.JD, = s’IDy, (1) 8’ € C=, (2) O(s') = O(s), and (3) s’.MAXID = s.MAXID. If 
81D, x s' ID,,, then since the IDs of all other roots in ® are unchanged, s’ € C!. 


By induction on the steps in a, the Lemma follows. | 


The following definition makes it convenient to describe progress properties of executions 
starting from a state in C=. By Lemma 7.1, such an execution must either reach a state in C! 


or remain in C~. Thus, progress towards a subset U’ of C= can be described in terms of the 


following notation: 
Definition 7.2 [f U and U' are state sets, then 
u-& vu’ ES u — U'uc} 
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Recall from Section 2 that set U is closed, written U —> Ug, if for any s € U and any 


step (s,a,(Q,%, P)), QC U. We now give an analogous definition for analyzing the coloring 


algorithm: 


Definition 7.3 U => Ug, if for any s € U and any step (s,a,(Q,¥,P)), 2G UUC!. 


Thus if VU = Ug, any execution fragment beginning with a state in U remains in U until 


a state in C! is reached. 


7.1 Forest Stability 


We now define a very important notion, that of a “stable forest.” In order for the recoloring 
algorithm (used to detect other trees) to succeed in O(é) expected time, the forest structure 
must be “stable” while the algorithm is operating, i.e., the parent pointers remain fixed. We 
now precisely define the set C5, of states defining a stable forest. We then show that starting 
from a state in C=, within time 26+1, unless a state of C' is reached, a state defining a stable 


forest is reached. 


Definition 7.4 (CZ,) The set C5, (“SF” for “Stable Forest”) is the set of all states s € C= 
for which the following conditions hold for all nodes u: 


1. 8. ID, = s.MAXID, 
2. u € p(s) => distance, = 0, and 


3. (parent, =v) => 
e distance,, = distance,, 


e distance, = distance, +1, and 


e v= MaXzenors(uy © | (LD_, distance.) = MaxXyenors(u) (IDw, distance, )} | 


Lemma 7.5 For any step (s,a,(Q,%,P)) such that s € CZ, and for any s' € Q, for all u and 


v, s.(parent, = v) => s'.(parent, = v). 
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Proof. Let 5s’ € Q. The only action a that could change parent, is MAXIMIZE-PRIORITY,,. 
Since s € Cip, for any w € Nors(u) such that w 4 s.parent,, s.(1Duw, distanceyy) < 
s.(ID,, distance, ) = (s.MAXID, s.distance,,). Thus if v = s.parent,, (Duy, distancey,) = 
MaXzeNors(u) (Dur, distance,,). Hence / is set to v in [E], [F] does not change /D,, and [G] 


ensures that s’.parent,, = v. a 


Lemma 7.6 Cop => C5p@. 


Proof. Let (s,a,(Q,%,P)) be a step such that s € CZ,. Let s’ € Q, and let a be performed 
by u. Since membership in Cgp is determined by the variables [D, distance and parent, the 
actions DETECT-TREES and NEXT-COLOR cannot change membership in Cop. Consider 


the following remaining possibilities for a: 


Case 1 a =COPY,,. 


The only statement ofinterest is [A]; by clause (3) of the definition of C5 p, distancey.parent, 


must remain unchanged, and s’ € CGp. 


Case 2 a =MAXIMIZE-PRIORITY, . 


If wu € p(s), [H] is executed, and s’ € CFp. If wu ¢ p(s), let v = s.parent,,. Then [E] sets / 
to v, [F] has no effect, and [G] preserves the values of [D,, distance, and parent,. Thus 
s' € C&p. 

Case 3 a =~EXTEND-ID,,. 


If ID, is extended, then s’ € C!. rT] 


Lemma 7.7 c= 2s} Cop: 


Proof. Let s) € C7, and consider any execution fragment @ = 89415 ,@2... a@%5, in C~ of 


duration > 26+ 1. Let the minimal distance of node u be defined as 


D(u) = min | Dist(u, 0) 
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We show by induction that for any 7 < 6, there must exist a state s’ in a such that s’.now < 
So.now + 21+ 1, and for each node w such that D(w) < 2, u satisfies the conditions (1), (2) and 
(3) in Definition 7.4, for membership in CZ,. (Let such a node be called locally stable.) Since 
P(u) < 6 for all nodes, there must then exist a state s in a such that s.now < so.now + 2641 


and all nodes are locally stable, which implies that s € CZp. 


First, let i = 0. The only nodes u for which D(w) = 0 are those in the set ®(s,); within 1 
time unit, each such node will have executed statement [H] of MAXIMIZE-PRIORITY and 


will have set its distance to 0 and will have thus become locally stable. 


For the inductive step, let there exist a state s’ in a such that s’.now < sg.now +224 1, 
and each node wu for which D(w) < 2 is locally stable. We show that there exists a state s” 
following s’ such that s” < so + 2(i+1)+ 1 and each node w such that D(u) < i+ 1 is locally 
stable. 


The conditions for local stability imply that in state s’, ID, = s).MAXID and distance, = 
P(u) for each node u such that D(w) < i. Consider any node wu for which D(uw) = i+1. Let A’(w) 
be the set of neighbors w of u for which D(w) = 72; s’.[D,, = s.MAXID and s’.distance,, = 7 for 


Ww 


all such w. There must then exist a state s’” following s‘ in a such that s’".now < s’.now+1 and 


(LDuw, distanceyy) = (89-MAXID,7) for all w € N(u). Since there must exist a MAXIMIZE- 
PRIORITY, step within time 1 after s’”, there exists a s” following 5” in a such that s”. new < 


8” now +1 and uw is locally stable. Hence the inductive step follows. | 


7.2 Self-Stabilization of the Coloring Algorithm 


As was stated in the previous section, the forest structure must be stable, i.e. the state must 
be in Cg, while the algorithm is operating. Lemma 7.7 guarantees that starting from any 
state in C“, a state in CGp is reached within 26+ 1 time. However, when a state in C§p is 
reached, the coloring variables may not be in a consistent state—they may be arbitrarily set, 


so the broadcast-echo mechanism may not commence immediately. In this section we show 
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that within time 176+ 7, these variables become consistent, and the coloring algorithm can 


proceed correctly. 


In Definition 7.9, we define a “coloring predicate” L(w) on individual nodes; if all nodes in 
a tree T,. satisfy L(w) and if 7). satisfies another predicate L’, the coloring variables in that tree 
are consistent. 7, is then said to be “well-colored,” and the state set GT, (“GT” for “Good 
Tree”) is defined as the set of states in CF» in which J; is well-colored. CF is defined as the 


set of states in C5, in which all trees are well-colored. 


We show that starting from a state s in CZ, unless a state in C' is reached, for any tree T, 
a state in GT, is reached within time 176 + 7 (Lemma 7.65). We do so using the intermediate 
state set M7,—the set of states in which 7. is monocolored, i.e. all nodes in T, possess the 
same color. Section 7.2.1 shows that any tree must get monocolored within time 46+1. Section 
7.2.2 shows that once a tree is monocolored, it must get well-colored within 136+ 6 additional 


time. 


We first define what it means for coloring variables to be “consistent.” 


Definition 7.8 (T., TREE(v), leaf, root interval, branch, height, BRANcHES(T, )) 


e Let r € p(s). A tree rooted at node r is the set 


T, = {u|r is an ancestor of u.} 


e TREE(v), the tree containing node v, is defined as the unique tree containing v. 
e A leafis a node that is not an ancestor of any other node. 


e A sequence of nodes R = u,t2...ux is a root interval of T, if u; = r and parent, = u_1 


for every i > 1. 
e A root interval B = uyu2...u, is a branch if it terminates in a leaf (i.e., wu, is a leaf). 
e The height of a tree, written HeIGHT(T,.), is the maximal length of a branch in 7). 
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¢ BRANCHES(T;.) denotes the set of all branches in 7). = 


Definition 7.9 (Coloring predicates) Let v = parent,. Then the following coloring predi- 


cates are defined for node uw: 


e L1(u): (color, # color, ) => (mode, = echo) and (mode, = broadcast). 
e L2(u): mode, = broadcast => 


— mode, = broadcast 


— color, = color, 


— If w € Children,, 


(modey» = echo and color,,., = color.) = > mode, = echo and color, = color,. 


e L3(u): mode, = echo = > Vw € Children, 


— color, = color,, = color, , and 


— mode... = mode, = echo. 


e L(u) = L1(u) A L2(u) A L3(u). 


Definition 7.10 (Well-coloredness) A tree TJ, is well-colored in state s if it satisfies the 


following conditions: 


1. All nodes u € T, satisfy L(w) in s. 


2. (Predicate L’) At most two colors are contained in T,, i.e., 


| UJ s.color,| <2 


u€T, 


Definition 7.11 (G7,.) 


GT, = {8 € C5, | T, is well-colored} 
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The following Lemma shows that once a tree is well-colored, it stays well-colored: 


Lemma 7.12 G7, = G7,@. 


Proof. Let (s,a,s’) be a step such that s € GT,. Note that the only variables that are 
referenced by the coloring predicates are color,,, mode, and for all v € Children,,, color,, and 


mode,,,. We consider each a € acts(RSST), in turn: 


Case 1 a = COPY,,. 


Since wu can only copy a color from v, L’ must be true in s’. If v # parent, and v ¢ 
Children,,, the coloring predicates remain unchanged. If » = parent,,, then [D] may be 
executed. If s.color, 4 s.color,, then s’.color, = s’.color,, and s’.mode, = s’.mode, = 
broadcast. Also, because L’ holds in s, for all w € Children,,, s.color,, = s.color,,, which 
implies s’.color, # s'.color,. Thus L1(w), L2(u), and L3(w) are true in s’. Further, 
L2(v) holds in s’. Since s.mode,, = s'.mode,, = echo for any child w of u, w satisfies L1, 


L2 and L3 in s’. 


If v € Children,, L1(u), L2(u) and L3(u) continue to hold in s’. 


Case 2 a =MAXIMIZE-PRIORITY, . 


Since s € C5, all variables in s’ are identical to those in s. 


Case 3 a =DETECT-TREES,,. 
If [K] is executed then s’.mode, = echo. L1 and L2 are trivially satisfied, and L3 is 
satisfied in s’ because of the conditions in [J] and the fact that L2 was satisfied in s. 
Case 4 a =NEXT-COLOR,,. 


If the test in NEXT-COLOR is true, u € p(s), and L3 implies that all nodes v € TREE(w) 
have the same color c in s. Hence L’ is satisfied. The coloring predicates can be seen to 


hold. 
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Case 5 a =~EXTEND-ID,,. 


If the test is satisfied, then s’ € Ct. a 


Definition 7.13 (CF) 


Cyc = {8€Cip|se€GT, Vr p(s)} 


Corollary 7.14 Cyc Cyc@. 


Proof. This is a direct consequence of Lemma 7.12 and Definition 7.13. | 


Once a state is in Cy, the coloring algorithm can proceed “normally” over all trees in the 
forest. We show that starting from a state in CF», unless a state in C' is reached, within time 
176+ 7 each tree becomes well-colored, so within time 176+ 7 a state in Cy is reached. Thus 
we show that cz, '2 "GT, for all roots r, which implies that C=, 1s" Cre (this is shown in 


Lemma 7.65). 


Definition 7.15 (Monocolored, bicolored intervals and trees; M7, A tree T, is mono- 
colored in s € C§p if it contains only one color, i.e. color, = ¢ for some color ¢ and all u € T,. 
(We say that T, is monocolored with color c.) The set MT, is defined as the set of states in 
Csr in which 7, is monocolored. Similarly, a root interval is monocolored if it contains only 


one color. T, is bicolored if it contains two colors (cf. Definition 7.10). a 


The statement C5, "GT, is proved using two main results: c=, os MT, (the “Mono- 


coloring” Result) and MT, 28° GT, (the “Blocking” Result). 


7.2.1 The “Monocoloring” Result 


In this section we establish the first of the two self-stabilization results, c=, os MT,.. Thus, 


starting from a state in CZ, defining a stable forest, any execution a reaches a state in which 


tree T. is monocolored, within time 46 + 1. 
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An overview of the proof follows. A coloring epoch of color c for T, is defined as a maximal 
execution fragment contained in a in which the root color color, remains fixed at c; color, 
changes from one epoch to the next. As will be apparent from the code for COPY, if a node 
notices that it has a color different from that of its parent, it copies its parent’s color. A root- 
color interval for a branch in 7; is the maximal root interval in the branch that has the same 
color as the root. Since children copy their parents’ color, in any coloring epoch the root-color 
interval for any branch can only increase. Thus, in the last state of a coloring epoch +7, the 
root-color intervals in a tree are of maximal length; the scope of y is the depth upto which the 
root color has propagated in epoch 7. Thus in the last state of an epoch 4, all root intervals 


of length < ScopE(7) are colored with the root color. 


Consider any branch B in 7, of scope m in some coloring epoch y of color c. When the 
root chooses a new color c’ and sets its mode to broadcast, thus initiating the next coloring 
epoch 7’, all its descendants of depth < m are colored c. Because a root must echo before it 
can choose the next color, all descendants of depth < m-+1 must be colored with c’ in coloring 
epoch 7’. Thus each coloring epoch has a higher scope than its predecessor (provided that this 
is feasible, i.e., the scope of its predecessor was not HEIGHT(T;)). If a coloring epoch of scope 


HeicutT(T,) is reached, there must exist some state in that epoch in which T, is monocolored. 


A finer analysis, in Lemmas 7.37 — 7.39, shows that if a coloring epoch 7 is of duration 
A, its scope is at least |A| higher than that of its predecessor 7 (if feasible). Based on this 
progress property, Lemma 7.40 shows that the scope of a coloring epoch beginning after time 
tin a must be at least t/2. Thus we conclude, in Lemma 7.41, that within time 36 an epoch 
of scope > HeicuT(T,.) is reached, and therefore, in Lemma 7.42, that a monocolored state is 


reached in time < 464+ 1. 


Definition 7.16 (Root-color interval) Let s € C5,; let T, be a tree, and let B € BRANCH- 
ES(T,.). The root-color interval of B, denoted RC(B), is the maximal prefix up ...u; of B having 


the same color as the root uo, i.e., for which color(u) = color(uo) for every u € RC(B). = 


83 


Definition 7.17 (Root-color extent) Let B € BRANCHES(T;.). The root-color extent of B, 


written EXTENT(B), is defined as: 


1. |RC(B)| , if RC(B) F B (i.e., RC(B) is a proper prefix of B). 
2. Herc (7,.), if RC(B)= B. 


ExtTent(B) = 


Thus the root-color extent of a branch is the length of the maximal prefix that has the 
same color as the root, unless the whole branch has the same color, in which case it is the 


height of the tree. 


Definition 7.18 (Root-color domain) The root-color domain of tree T,, written Dom- 
AIN(T,.), 
Domatn(T,) = min ExTent(B). 


BEBRANCHES(T;, ) 


Claim 7.19 Let (s,a,s') be a step inCZp. For any root r € p(s)N p(s’), if s.color, # s’.color,., 
then a = NEXT-COLOR,. 


Proof. From the code, the only statements that can change the color of r are [D] of COPY 
and the actions NEXT-COLOR, and EXTEND-ID,. Since parent, = nil, [D] of COPY is not 
executed. If a =EXTEND-ID, and s.color, #4 s’.color,, then s.ID, < s'.ID,, and so s’ ¢ CFp. 
Hence the only possibility for a is NEXT-COLOR,. | 


Definition 7.20 (Coloring epochs) Let a be an execution fragment in CZ». A coloring 
epoch for tree T,, is a maximal execution fragment y contained in a such that color, remains 


constant in y. Let CoLror(y) denote the color of epoch y, i.e. s.color, for any s € y. | 


Observation 7.21 From Claim 7.19, for any tree T., any execution a in CF, contains coloring 


epochs 71, Y2, ¥3,--- for T,, such that a = y,ay,a73a..., where a = NEXT-COLOR,. 
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Claim 7.22 If y; and 7;,, are successive coloring epochs in some execution a then 


e CoLor(y;)=0 = CoLor(y,,,) 4 0 


e CoLor(y;) #0 = > Coror(y7,,,) = 0 
Proof. Follows from the code for NEXT-COLOR, New-Color() and Reset-Color(). = 


Definition 7.23 (Scope) Let 7 be a coloring epoch for T,. The scope of a coloring epoch y 
for T, is 


Scopr(y) = max s.DoMAIN(T,) 
The scope of y for a branch B in T, is defined similarly: 


ScopgEg(7) = max s.EXTENT(B) 
s€ 


Lemma 7.24 Let u ¢ p(s) and let a be an execution fragment in CZ, starting with s. In 
any step (s',a,8") ina such that s".color, # s'.color,, s".color, = 8'.color parent, , 8 .mode, = 


broadcast, and for all v € Children,, s”.color,, = undefined. 
Proof. From the code, a must be COPY,, and [D] must be executed. a 


Lemma 7.25 In any step (s,a,s') in some coloring epoch y for T,, s.color, = s'.color, for 


any u € s.RC(B), where B © BRANCHES(T,). 


Proof. By induction on the depth of u in T,. Let s.RC(B) = u,...u;. Since s,s’ € 7, 


s.color,, = s’.color,,. Suppose s.color,, = s'.color,, for some uz, € Uy,...tj_1. Since wpa € 


RC(B), s.color,,,, = s.color,,. If s'.color,,,, # 8.color,,,,, then by Lemma 7.24 s’.color,,,, = 


s.color,,, which is a contradiction since s.color,,,, = s.colory,. a 
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Corollary 7.26 Let 7 be a coloring epoch. If (s,a,s') is a step in y, for any branch BE 
BRANCHES(T,), s.RC(B) is a prefix of s'.RC(B). 


Proof. Let B € BRANCHES(T,). From Lemma 7.25, for every u € RC(B), s'.color, = 


s.color, = s.color,. Hence the Corollary follows. | 


Corollary 7.27 In any coloring epoch y, DOMAIN (T,) cannot decrease. 


Proof. Immediate from Definition 7.17 (EXTENT), Definition 7.18 (DoMAIN), and Corollary 
7.26. - 


Lemma 7.28 Leta be an execution fragment contained in some coloring epoch for T,. Lett = 
(Istate(a).now — fstate(a).now). Then Istate(a). DOMAIN(T;,.) > min((fstate(a). DOMAIN(T, ) + 
|t|), Hercat(T,)). 


Proof. We show that for any B € BRANCHES(T, ), Istate(a). EXTENT(B) > min(fstate(a). EXTENT(B) 
+|t|, Heicut(T,)). The Lemma then follows from the definition of Domatn(T,.) (Definition 
7.18). 


Consider any branch B = u,...u; in T,, and an execution fragment a@ = 59415 ,@2... ApS, 
contained in some coloring epoch ¥ of color ¢ for Ti.. Let ¢ = s,.now — so.now, and let t’ = |t]. 


Let R= 5).RC(B) = uy... uy. 


We show that if] >7+1',ie., the length of branch B is at least i+ t’, then u,...ujyy is 
a prefix of s,.RC(B). Otherwise, s,.RC(B) = B. 


If t’ = 0, then Corollary 7.26 implies that u,...u; is a prefix of s,.RC(B). 


If t’ > 1, and if >2+1, then there must exist a step (s, COPY,,,,u,,8’) in a such that 
s'.now < 8 ).now + 1. Corollary 7.26 implies that s.color,, = c; hence s‘.color,,,, = c, and 


Uy... Ui41 is a prefix of s’.RC(B) and s,.RC(B). 
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If t” > 2 and! >%+ 2, then there must exist a step (s”, COPY, s’) in a such that 


i-2Ui41?9 
s” now < s).now+2 and s” follows s' in a. Again, Corollary 7.26 implies that s”.colory,,, = ¢; 
therefore u,...uU42 is a prefix of s”. RC(B). 
The Lemma follows by proceeding inductively as above. | 


Lemma 7.29 Let u,v € T., and let parent, = v. Let (8o,COPYy.,51) be a step in which 
$9.color, # 8,.color,, and let a = 894,5,d,... be an execution fragment starting with this step, 
contained in some coloring epoch for T,. Let w be a child of u. If there exists 5; € a (i 0) 


such that s;.mode,, = echo, then there exists s’ between 8 and s; such that s'.color,, = s'.color,,. 


Proof. From the code, statement [D] in COPY,, must have been executed in the first step, 


so from the code for Reset-Color(), s;.mode, = broadcast, and s;.color,, = undefined. 


Since s;.mode, = echo, there must exist a step (s’,a,s”) between s,; and s; such that 
s',mode,, = broadcast and s”.mode, = echo. From the code, the only possibility for a is 
DETECT-TREES,. From statement [J], it follows that s’.mode,,, = echo and s'.colory, = 


s’.color,. Since s'.color,, = s'.color,,, s’.color, = s'.color,,. | 


Let var be one of the state components for a node (e.g. mode, color), and let value be one 
of the corresponding values that can be assumed by the state components (e.g. “broadcast,” 
for the mode component). Henceforth, to ease the notation, the expression var(ujug...Ux) = 


value will be used to denote the relation var,, = vary, = ...= vary, = value. 


Definition 7.30 (Broadcast and echo intervals) Let R = ujt....u, be a root interval. 


Then, 


e Ris a broadcast interval if mode(uju2...u,) = broadcast, and L(u) is true for all wu in 
Rk. (Note that the conditions of L imply that for such an interval, color(ujus...u,) = 
some color ¢, and for each u; in uy, ...Ug_1, 7( mode, ,u,,, = echo and color, ,.,,, = ©)-) 

A broadcast interval of color c is a broadcast interval in which every node has color ¢ 


(color, = ¢). 
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e Ris an echo interval if mode(ujuz...u,) = echo, and L(u) is true for all wu in R. (Note 
that the conditions of L imply that for such an interval, color(u ws ...u,) = some color 


e, and for each u; in wyuy...upg, (mode, i.,,, = echo and color,,,,,, = ¢).) An echo 


g4+1 


interval of color cis an echo interval in which every node has color c. | 


Lemma 7.31 Let R = uyu2...uz, be a a broadcast interval of color c in s, and let a be an 
execution fragment in CZ, starting with s. If there exists s' in a such that s'.color, # s.color, 
for some u © R, then there exists s" before s’ in a such that R is an echo interval of color c 


in Q. 


Proof. The coloring epoch containing s’ must be different from that containing s. A new col- 
oring epoch for R can only begin after a state s; in which s,.mode,, = echo. From the code for 
DETECT-TREES, s, must follow a state s. such that s..mode,,4, = echo and $9.colory,y., = ¢. 
Also, s2.mode,, = echo and s2.color,, = c. Thus w, satisfies L(w). Proceeding inductively, s» 
must follow some state s, in which s,.mode,,_,u, = $,.mode,, = echo, and s;.colory, wu, = 


$,.color,, = c. Hence R is an echo interval of color ¢ in 81. | 


Lemma 7.32 Let 7 be a coloring epoch for T,, and let s be a state in y such that in a branch 
B= wuUz...u, of T,, there exist 1,7 such that u,...u; is a broadcast interval of color c, and 


color(ujyi...uj)=e #c. (Such an interval u,...u; is called properly bicolored.) Then, 


e There exists s' following s in y such that u,...u; 1s a broadcast interval of color c, and 


(therefore) 
¢ SCOPER(y) > J. 


Proof. u,...u,; is a broadcast interval of color c in state s. In any execution fragment a 


beginning with s, a new coloring epoch y¥’ can only begin after a state s, such that s,;.mode,, = 
echo (from the code for NEXT-COLOR). But since s.mode,, = broadcast and L2(u;) holds 


in s, s; must follow some state sz in which color,, = c and mode,, = echo. Continuing 


88 


inductively, s; must follow some state s;,, in which color,,,, = ¢ and mode,,,, = echo. But 


il il 


8:41 must follow some step (s),,,COPYy,,.u,,9/4,) in which uj4; “copies” color ¢ from uj; 
Uy... Uj41 is a broadcast interval of color ¢ in sj,,. Proceeding inductively, there must exist s’ 


in which u,...u,; is a broadcast interval of color e. | 


Claim 7.33 Any prefix of a monocolored root interval is monocolored, and a prefix of a properly 


bicolored interval is monocolored or properly bicolored. 


Proof. Follows from the definitions. | 


Claim 7.34 Let R= uy,tig...u, be a root interval in T,. Let y be a coloring epoch for T,, and 
lets ey. Then, 


1. If R is monocolored in s, it is monocolored for all s' following s in y. 
2. If R is properly bicolored (cf. Lemma 7.32) in s, it is monocolored or properly bicolored 
for all 8’ following s in y. 


Proof. Follows from Lemma 7.24 and Corollary 7.26. | 


Corollary 7.35 Let y,a7. be an execution fragment in Cgp such that y, and y. are coloring 
epochs for T, of colors c, and cy respectively. Let SCOPE(7,) =m. Then for any root interval 
R=U,...Um in T, of length m, there exists s € y, such that u,...uUm is a broadcast interval 


of color cy. 


Proof. Note that in fstate(7,), w:...%m is properly bicolored. The Corollary then follows 


from Lemma 7.32. | 


Lemma 7.36 Let y,a7,a73 be an execution fragment in CZ, such that y,, Y. and yz are 


coloring epochs for T,. Then SCOPE(y.) > min( SCoPE(y,) +1, HeicuT(T,)). 
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Proof. Let y, and y, be of colors c, and cz respectively. Let SCoPE(7,) = m; note that 
Heicut(T,) > m. Let B= w,...u, be a branch in T, of height > m, and let R = ws...Um 
be a prefix of B. 


From Corollary 7.35, there exists a s € y, such that R is a broadcast interval of color 
ce. If k = m, then SCOPEg(y,) = HeEicut(T,). If k > m, then s.color,,.,. = €, or 
€9. If s.color,,,, = 1, then uy ...Um4i is a properly bicolored interval, so by Lemma, 7.32 


SCOPEg(72) > m+ 1. If s.color,,.,. = 2, then SCOPEg(7,) > m+ 1 by definition. | 


Lemma 7.37 Let y,a7,. be an execution fragment in CZ, such that 7, and y, are coloring 


epochs for T,, and let SCOPE(7,) =m. 


For any integer i, if (Istate(7,).now — fstate(y,).now) > i, then for any root interval R = 
Uy... Uz of length < (m+ i), there exists a state s € y, such that s.now < fstate(7y.).now + 2, 


and R is either monocolored or properly bicolored in s. 


Proof. By induction on i. 


Base (i = 0): Clearly, in fstate(7,), any interval u,;...u, of length < m is monocolored if 


k& = 1, and is properly bicolored if & > 1. 
Now suppose the Lemma holds for 7. We need to show that it must hold for 7+ 1. 


Consider any root interval R = u,...U¢m4i41). Since the Lemma holds for 7, there exists 
a state s € 7, such that s.now < fstate(7,).now +7, and u,...Um4; is either monocolored or 


properly bicolored in s. There must exist a step (s;,COPY 82) in 75, such that s; 


U(m+it1) E(m+i)? 


follows s, and (s;.now < s.now +1). Thus so.now < (fstate(y,).now +7+ 1). Consider the 


two cases: 


Case 1 u,...Um4; is monocolored in s. 


Then, by Claim 7.34, u,...%m4; must be monocolored in s,, and therefore it must be 


monocolored in s,. Hence the Lemma follows. 
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Case 2 U;...Um4; is properly bicolored in s. 


Then by Claim 7.34, wy...Um4; is either monocolored or properly bicolored in s,. If 
Uy, ...Um4i is monocolored in $1, Uy ...Ucm4it1) Must be monocolored in sy. If uy... Umi 
is properly bicolored in s,, uy, ...U¢m4izi) must be properly bicolored in sz. Hence the 


Lemma follows. 


Corollary 7.38 Let y,a7. be an execution fragment in CEp such that y, and y, are coloring 


epochs for T,, and let SCOPE(7,) =m. 


For any integer i, if (Istate(y.).now — fstate(y.).now) > i, there exists a state s € 7. such 
that s.now < fstate(y,).now + i, such that every root interval of length < (m+ 7) is either 


monocolored or properly bicolored in s. 
Proof. Follows from Lemma 7.37 and Claim 7.34. | 


Lemma 7.39 Let y,a7,. be an execution fragment in CFp such that y, and y, are coloring 


epochs for T,, and let SCOPE(y,) = m. Let A = (Istate(y,).now — fstate(7.).now). Then 


SCOPE(y,) > min( (Scopg(7,) + [A]), Hetcut(T,) ). 


Proof. Let A’ 


|A|. From Lemma 7.38, there exists a state s in 7, such that (s.now — 
fstate(y.).now) < A‘, and every root interval of length < m+ A’ is either monocolored or 
properly bicolored in s. Hence by Lemma 7.32, SCOPEg(y.) > min(m + A’, HeicuT(T,)) for 


every branch B. Hence ScoPE(y.) > min(m + A’, HEIGHT(T,)). = 


Lemma 7.40 Let a = 7, a72073...be€ an execution in Cap, where y1, Yo, Y3,-.-are coloring 


epochs for tree T,. Then for any coloring epoch y, 


SCOPE(7) > min( fstate(7).now/2, HeicutT(T,) ) 
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Proof. By induction on y. 
Clearly, SCOPE(7,) > 0. 


Now suppose the Lemma holds for y,, i.e. SCOPE(7,) > min( fstate(y;).now/2, Heicut(Z,) ). 
If Scope(y,;) = Heicut(T,), then Lemma 7.36 implies SCOPE(7,,,) = HeicuT(T,), which sat- 
isfies the Lemma. If Scopr(y,;) < HeicuT(7,), then by the inductive hypothesis, SCOPE(7;) > 
fstate(7,;).now/2. We show that SCOPE(7;,,) > fstate(y,,,).now/2, which would satisfy the 


Lemma. Consider the two cases: 


Case 1 (fstate(7;,,).now — fstate(y;).now) < 1. 


Then Lemma 7.36 yields 


SCOPE(7;4,;) > SCOPE(y,;)+1 
>  fstate(y;).now/2 +1 — (by the inductive hyp.) 
= (fstate(7;).now + 2)/2 
> fstate(7;,,).now/2 


Case 2 (fstate(y,;,,).now — fstate(y,;).now) > 1. 


Then by Lemma 7.39, 
SCOPE(7;4,) > SCOPE(y,) + [fstate(7,,,).now — fstate(7;).now] 


> fstate(y,;).now/2 + |fstate(y;,,).now — fstate(y,;).now| 
(by the inductive hypothesis) 
>  fstate(y,;).now/2 + (fstate(y,4,).now — fstate(y;).now)/2 
(since > 1 implies |a| > «/2) 
= fstate(7,4,).now/2 
| 
Lemma 7.41 Let a = y,ay2073... be an execution fragment in Cop, where 71, Yo, Y3,--- are 


coloring epochs for T,. There exists an epoch y,; ina such that fstate(y,;).now < 3HEIGHT(T,), 


and SCOPE(y;) = HeIcut(T,). 
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Proof. If there exists an epoch y; in a such that 3HEIGHT(T,) > fstate(y;).now > 2HEIGHT(T,), 
then by Lemma 7.40 Scope(y7;) = HetcuT(Z,). If there is no such epoch y,;, then there must 
exist an epoch y, such that fstate(y,;).now < 2HEIGHT(T,) and Istate(y;).now > 3HEIGHT(T,). 
Since |Istate(y;).now — fstate(7,;).now] > HetcuT(Z,), Lemma 7.39 implies that SCoOPE(7,) = 
Heicut(T7,). = 


Lemma 7.42 C5, es MT, Vr € p. 

Proof. Let s € C5,. Let a be any execution fragment in C5, beginning with s, for which 
(Istate(a).now — fstate(a).now) > 4641. Let a = y,ay2a73..., where ¥1, Y2, Y3,--- are color- 
ing epochs. By Lemma 7.41, there exists an epoch y, such that fstate(y,).now < 3HEIGHT(T,) 


and ScoPpE(7,;) = Hercut(T,). 


If Istate(y;).now < 4HEIGHT(T,), then since SCOPE(y;) = HEIGHT(T,.), there exists a state 
s' = Istate(y,) such that s’.now < 4HeIGHT(T,) + 1 and s’ € MT,. 


If Istate(y,;).now > 4HEIGHT(T,), then since fstate(7,;).now < 3HEIGHT(T.), Lemma 7.28 
implies that for any state s’ in y, such that 4HEIGHT(T,) < s’.now < (4HEIGHT(T,) + 1), 
s’. DoMAIN(T,.) = HEIGHT(T;.), which implies that s’ € MT,. 


Since Heicut(T,) < 6, the Lemma follows. = 


7.2.2 The “Blocking” Result 


In this section we establish the second of the two self-stabilization results, MT, 13858 GT,. 
Thus, starting from a state in CZ, in which T), is monocolored, any execution reaches a state 


in which tree J, is well-colored, within time 136 + 6. 


If a tree J, is monocolored with some color ¢ in some state s, it stays monocolored until the 
root chooses a new color c’. When the new color c’ is propagated to all nodes in the tree (as it 
must be, from Lemma 7.36), the tree becomes well-colored, since in the process of copying a 
new color from its parent a node resets its own coloring variables (through Reset-Color,,). We 


show, in Lemma 7.62, that within 126 + 6 time the root must choose a new color. 
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In order to choose a new color, the root must first set its mode to echo (from the code), 
which requires that all its children echo. A node uw could be prevented from echoing because it 
may be blocked by its neighbors—if its color is non-zero, it needs to notice a non-zero color at 
each of its neighbors (i.e., nbr-color,, # undefined), and it needs to notice that all neighbors 
have observed its color (self-color,,, = color,). Theorem 7.60 shows that a node can be blocked 
for at most 106+ 5 time, which implies that an “echo wave” must reach the root and cause it 


to choose a new color within 126 + 6 time. 


Definition 7.43 (Waiting) A node u waits in state s € CF, if it is in a broadcast interval 


(cf. Definition 7.30). It watts with color c if it is waiting in s and s.color, = c. a 


Definition 7.44 (Waiting epoch) Let a be an execution fragment in Cp». A waiting epoch 
w for u is a maximal fragment contained in a such that wu waits in each state of w and color, 
remains constant in w. A waiting epoch of color c is a waiting epoch in which u waits with 


color ¢. a 


Definition 7.45 (Blocking, enabling) Let w be waiting in s with color ¢ # 0, and let 
v € Nors(u). Then, 


e wis blocked by v on self-color in s if s.self-color,, 4 color,. Otherwise, u is enabled by v 


on self-color. 


e wis blocked by v on nbr-color in s if s.nbr-color,, = undefined. Otherwise, u is enabled 


by v on nbr-color. 
e wis blocked by v in s if it is blocked by v on self-color or nbr-color. 
e wis enabled by v in s if it is enabled by v on both self-color and nbr-color. | 


Definition 7.46 (Recoloring) A node u is recolored in a step (s, a, 5’) if s.color, 4 s'.color,. 
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Lemma 7.47 Let r © p(s), and let a be an execution fragment in Cp starting with s. If 
s.mode, = broadcast, and if there exists s' € a such that s'color, # s.color,, then there exists 


a state s” preceding s' in a such that s”.color, = s.color, and s".mode, = echo. 


Proof. Let (s,,a@,52) be the first step in a such that s,.color, # s9.color,; there must exist 
such a step between s and s’ in a. From the code, a can only be NEXT-COLOR,. Since 
8,.color, = s.color,, and since s,.mode, = echo from the condition in NEXT-COLOR,, the 


Lemma follows. a 


Claim 7.48 In any step (s,a,s') inC§p such that s.mode, = broadcast and s'.mode, = echo, 


u is enabled by all v € Nobrs(u) ins. 


Proof. Follows since a can only be DETECT-TREES, and the conditions in [J] must be 


satisfied. a 


Lemma 7.49 Let u be waiting in s, and let a be any execution fragment in CE, starting with 
s. If there exists a step (s’,a,s”) in a in which wu is recolored, then there must exist a state 5, 


between s and s” in a such that u is enabled by all v © Nors(u) in s,. 


Proof. Since uw is waiting in s, there exists a broadcast interval R = u,u....u in s. From 
Lemma 7.31, there exists sy between s and s” such that R is an echo interval in sy. Since 


8,.mode,, = echo, the Lemma follows from Claim 7.48. | 


Lemma 7.50 Let w be a waiting epoch for u of color c. In any state s € w such that (s.now > 


fstate(w).now + 2), u is enabled by all v € Nors(u) on self-color. 


Proof. Let w be a waiting epoch of color c. For any v € Nors(u), there must exist a step 
(s;,COPY.u, $2) in w such that s;.now = sy.now < fstate(w).now + 1. Since s;.color, = c¢, 
S9.color,, = c. There must exist another step (s3,COPY,,, 4) following sz in w such that 
$3.now = 84.now < sy.now +1. Since s3.color,, = ¢, 54.self-color,, = c. Hence u is enabled 
by v on self-color in s4. Further, for all states s following s, in w wu must remain enabled by v 


on self-color. Hence the Lemma follows. | 
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Lemma 7.51 Let a be an execution fragment of duration > 1 contained in a waiting epoch 


for u. If u is blocked by v on nbr-color in Istate(a), then Istate(a).color,, = 0. 


Proof. Consider the last step (s,a,s’) in a such that a = COPY,,. Since Istate(a).nbr- 
color, = undefined, and COPY,, is the only action that can change nbr-color,,, between s’ 
and Istate(a), it follows that s’.nbr-color,, = undefined. Since statement [C] must have been 
executed in the COPY,, step, s’.color, = 0, and therefore s’.color,, = 0 = Istate(a).colory,y. 


Lemma 7.52 Letw be a waiting epoch for u. If u is enabled by v on nbr-color in some s Ew, 


u is enabled by v on nbr-color for all s' following s in w. 


Proof. From the code, if s.nbr-color,, #4 undefined, the only code that can change s.nbr- 
color,, to undefined is the call to Reset-Color(), which can be made either through [D] of 
COPY,,, or through NEXT-COLOR, or EXTEND-ID,. Since w is a waiting epoch for wu, none 


of these possibilities is feasible. | 


Lemma 7.53 Let s be a state in CFp in which u is blocked by v on nbr-color, s.color,, = 0 
or undefined, and v ts blocked by u on self-color. Let a be any execution fragment in CFp 
beginning with s. Then if there exists 8’ € a such that v is enabled by u on self-color, there 


exists s" before s' in a such that u is enabled by v on nbr-color. 


Proof. s.color,, = 0 or undefined, s.self-color,,, 4 s.color,, and s'.self-color,, = s'.color,. 
From Lemma 7.49, it is possible to choose an s’ in a satisfying the given conditions such that 
s'.color, = s.color,. Since s.self-color,, £ s.color, and s'.self-color,, = s.color,, there must 
exist a step (51, COPY,u, 52) between s and s’ in a such that s).self-color,, 4 s.color, and 
$9.8elf-color,, = s.color,. Hence s,.color,, = s.color, #0. Since s.color,, = 0 or undefined, 
and s,.color,, > 0, there must exist a step (s3,COPY,,., 84) between s and s, such that 
$3.color,, = 0 or undefined and s,4.color,, > 0. Since s3.color, # 0, statement [C] in COPY,, 


sets s4.nbr-colory, = 83.color, # undefined. Thus w is enabled by v on nbr-color in sq. | 


96 


Lemma 7.54 Let s be a state in C§p in which u is blocked by v on nbr-color, s.color,, = 0 
or undefined, and v is blocked by u on self-color. Then in any execution fragment a in CFp 
beginning with s, there exists s' following s in a@ such that s’.now < s.now+1 and wu is enabled 


by v on nbr-color. 


Proof. There exist two exhaustive possibilities: 


Case 1 There exists s’ following s in a such that s’.now < s.now +1 and v is enabled by u 


on self-color. 
Then from Lemma 7.53, there exists s” before s’ in a such that u is enabled by v on 
nbr-color, and the Lemma follows. 

Case 2 There exists no s’ following s in a such that s’.now < s.now +1 and v is enabled by 


u on self-color. 


There must exist a step (s;, COPY,,., 52) in a such that sy;.now < s.now + 1. Since v 
is not enabled by u between s and s,, 5,.color, = s.color, > 0. From statement [C] in 


COPY, ,, 52.nbr-color,, = 8,.color, > 0; hence the Lemma follows. | 


Lemma 7.55 Let (s,a,s') be a step in C§p in which s'.color, # s.color,. Then u is blocked 


by all v € Nbrs(u) in s'. 


Proof. Follows since @ must have called Reset-Color. | 


Lemma 7.56 Let T, be monocolored with color 0 in s. In any execution fragment in CZp of 


duration > 26 beginning with s, there exists a state 5, in which mode, = echo. 


Proof. From the code in statement [J] in DETECT-TREES, nodes with color 0 do not “wait” 
for neighbors to enable them before echoing; a node u with color 0 echoes as soon as it notices 


that all its children are echoing. Thus the root must echo within time 26. | 
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Lemma 7.57 Let TREE(u) be monocolored with color 0 in s € C§p. For any execution frag- 
ment a in CZ, beginning with s, there exists s' following s ina such that s'.now < s.now +46, 


u waits ins’, and u is blocked by all neighbors v € Nbrs(u) in s'. 


Proof. By Lemma 7.56, within time 26 in a a state is reached in which mode, = echo. Thus 
within time 26+1, r must choose a new color (through NEXT-COLOR, ). Within 6 additional 


time, w must be recolored with this new color. The Lemma follows from Lemma 7.55. | 


Lemma 7.58 Let TREE(u) be monocolored with a color # 0 in s, and let a be an execution 
fragment in CZ, beginning with s. If there exists a state s' following s in a such that s'.now < 
s.now+1 and s'.color, = 0, then there exists a state s"” following s ina such that s" < s+1+26 


and TREE(u) is monocolored with color 0 in s". 


Proof. Let 7. = TREE(u). Since non-root nodes can only copy new colors from their parents, 
the coloring epoch y’ containing s’ is different from the epoch y containing s. Since 7, is mono- 
colored in s, ScopE(y) = Heicut(T,). Hence from Lemma 7.36, ScoPE(7’) = Heicut(T,). 
Since y’ is of color 0, there exists a state s” in y’ such that 7, is monocolored with color 0. 
Since s’.color,, = 0, and each child copies its parent’s color within time 2, such a state s” exists 


for which s”.now < s'.now + 26. | 


Lemma 7.59 Let u be blocked by v on nbr-color in s, and let a be a fragment starting with s 
that is contained in some waiting epoch for u. If there exists an execution fragment a, in a 
such that (lstate(a).now — fstate(a).now > 1) and s'.color, # 0 for every s' € ay, then u is 


enabled by v on nbr-color in Istate(a,). 
Proof. There must exist a step (5,, COPYy,, 52) in a,. Since s;.color, > 0, [C] in the code 


for COPY,, sets sy.nbr-color,, = s,.color, > 0, and so u is enabled by v on nbr-color in 55. 


The Lemma then follows from Lemma 7.52. a 
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Theorem 7.60 Leta be an execution fragment in C5p, and let w be a waiting epoch of duration 
> (106 + 5) contained ina. In any s' € w such that s'.now > fstate(w).now + (106 + 5), u is 


enabled by all v © Nbrs(u) on nbr-color. 


Proof. Let s = fstate(w), and let u be blocked by some neighbor v on nbr-color in s. Let s; 
be a state in w such that (s.now +1 < s;.now < s.now +2). If wis blocked by v on nbr-color 
in s,, then by Lemma 7.51 s,.color,, = 0. By Lemma 7.42, there exists s. following s, in a 
such that so.now < (s,;.now +46 +1) and TREE(v) is monocolored in s3. If w is blocked by 
v on nbr-color in s,, by Lemma 7.51 sy.colory, = 0. Note that sz.now < s.now + (46 + 3). 


Consider the two cases: 


Case 1 TREE(v) is monocolored with color 0 in 59. 


By Lemma 7.57, there exists s3 following s. in a such that s3.now < sy.now + 46 and v 
is blocked by w in s3. If u is blocked by v on nbr-color in s3, Lemma 7.51 implies that 
83.colory, = 0. Then by Lemma 7.54, there exists s, following s3 in a such that s4.now < 
s3.now +1 and wu is enabled by v on nbr-color. Note that (s4.now < s.now + (46 + 3) 
+46 + 1) = (s.now+ 86 + 4). 


Case 2 TREE(v) is monocolored with some color 4 0 in 5. 


Then there must exist a step (s3, COPYuy, 54) such that s3 follows sz in a and s3.now < 
Sy.now + 1. If s3.color, # 0, u is enabled by v in sq on nbr-color. (Note that s4.now < 
s.now+(46+3)+1 = s.now+46+4.) If s3.color, = 0, by Lemma 7.58 there exists a state 
84 following sz in a such that (s4.now < sy.now +1 + 26) and TREE(v) is monocolored 
with color 0 in s4. We now proceed as in Case | and conclude that there exists s; following 
sq in a such that (ss.now < s4.now + (46+ 1)) and w is enabled by v on nbr-color in ss. 


Note that s5.now < (s9.now + 66 + 2) < (s.now + 106 + 5). 


By Lemma 7.52, u is enabled by v on nbr-color for all s’ following s in w such that s’.now > 


(fstate(w).now + 106 + 5). = 
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Lemma 7.61 Let a be an execution fragment in C5p, and let w be a waiting epoch of duration 
> (106 + 5) contained in a. In any s' € w such that s'.now > fstate(w).now + (106 + 5), 


(s'.self-color,, = color,) and (s'.nbr-color,, 4 undefined). 
Proof. Follows from Definition 7.45, Lemma 7.50, and Theorem 7.60. | 


Lemma 7.62 Let s € MT,. In any execution fragment a in CZ, of duration > 126+ 6 
beginning with s, there exists a step (s’, NEXT-COLOR,, s”) in a such that (s'’.now < s.now + 
126 + 6), s’.color, # s’.color,, and s' € MT,. 


Proof. This is a consequence of Lemma 7.61 and the fact that a node enabled by all its 


neighbors echoes at most 2 time units after all its children have echoed. | 


Lemma 7.63 Let (s,a,s') be a step in CZ, such that s € MT, and s'.color, # s.color,. Then 
in any execution fragment a in CZ, of duration > 6 beginning with (s,a,s'), there exists s" in 


a such that s".now < s.now+ 6 ands” €GT,. 


Proof. Let c! = s’.color,. Each branch B € BRANCHES(T;,) is properly bicolored in s’, and 
thus by Lemma 7.32, for each branch B there exists a state sg such that B is a broadcast 
interval of color c’. State sg must be reached within time 6 (since color c’ can take upto 6 time 


to propagate); any state following the latest such sg in a must be in GT,. | 
Lemma 7.64 MT, 12849 GT,. 


Proof. Follows from Lemmas 7.62 and 7.63. | 


7.2.3 Self-stabilization of the Coloring Algorithm: Main Result 


Lemma 7.65 CF; 12bg7 Cre: 
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Proof. For all r € 6, from Lemma 7.42 cz, os! MT,., and from Lemma 7.64, MT, 136+9 GT,.. 


Hence for all r, CF, 170-47 GT,.. Since GT, —> GT,a by Lemma 7.12, the Lemma follows. m 


Lemma 7.66 (Main coloring self-stabilization result) C= 12648 Cre: 


Proof. From Lemma 7.7, c=! C5p. From Lemma 7.65, CFp 12bg7 Cyc. Thus the Lemma 


follows. a 


7.3 Tree Detection 


From Lemma 7.66, starting from any state in C=, within time 196+8, unless a state in C! is 
reached, a state in Cy~ is reached, which implies that all trees are well-colored. Thus the 
coloring algorithm can proceed “normally.” 

In this section we show that the coloring algorithm achieves its goal of detecting the exis- 


580428 
eee Ch, 


tence of multiple trees with the same root ID, by showing that Cy. 275 


Definition 7.67 (Neighboring trees) Trees T, and T,. are said to be neighbors if there exist 
uéT, andv €T, such that v € Nobrs(u). 


Let a be any execution starting with a state in CZ~, and let a’ be the maximal prefix of 
a that is in Ci, if a is finite, or a itself, if it is infinite. Let T and T be neighboring trees. 


From Observation 7.21, a’ can be partitioned into coloring epochs y, for T and 7; for T such 


that a! = 7,d70d73--. = J A7o075..- 


Definition 7.68 (7; notices 7,;) Let T and T be neighboring trees. Let y,; and 7; be coloring 
epochs for T and T respectively, and let CoLor(y,), CoLor(7;) # 0. Then, in execution a, 7; 
notices ¥; if there exists a step (s,COPY,,, 8’) in a such that ue 7,0 € T, v € Nbrs(u), and: 


1. 8 €7;,8€ 7); 
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2. s.color, = COLOR(7;), s.color, = COLOR(7;); 


3. s.mode, = broadcast. 


If these conditions hold, we also say that y; notices 7; in step (s,COPYw., 8’). | 
Definition 7.69 (7; confronts 7;) 7; confronts 7; ify; notices 7; and CoLoR(y;) # COLoR(7;). 
Lemma 7.70 Any coloring epoch y for a tree T, has duration < 136+ 6. 


Proof. If fstate(y) ¢ MT, then because a new color propagates within one time unit from 
a parent to its child, there exists a state s € y such that s.now < fstate(y).now + 6 and 
s€ MT,. From Lemma 7.62, there exists a step (s’, NEXT-COLOR,, 5”) such that s’.now < 
s.now + 126+ 6 and s’.color, 4 s”.color,. Thus s” begins a new coloring epoch. The Lemma 


follows from the fact that s”.now < fstate(y).now + 1364 6. | 
Lemma 7.71 Any coloring epoch y of color 0 for a tree T, has duration < 36 4+ 2. 


Proof. Similar to that of Lemma 7.70, with the exception that from statement [J], a node 


colored 0 does not need to be enabled by its neighbors in order to echo. | 


Lemma 7.72 If 7; confronts 7;, there exists s' following fstate(y;) in a such that s' € C’ and 
s'.now < fstate(y;).now + (136 + 6). 


Proof. If y; confronts 7;, some node in T must set other-trees to true in 7 within time 116+5, 


since all nodes in 7 cannot remain broadcasting for more than time 116+ 5. By time 136 +5, 
the root of 7 must set other-trees to true, and by time 136 + 6, it must extend its ID by 
executing EXTEND-ID,, thus reaching a state in C'. | 


Lemma 7.73 There exists i < 3 such that 7; notices 7; for some 7. 


Proof. Consider the following possibilities: 
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Case 1 CoLor(y,) = 0. 


Then by Claim 7.22 CoLor(y,) # 0. There must then exist a step (s,a,s’) in 72 such 
that s.color, = 0, s’.color, = COoLoR(y7,), s’.mode, = broadcast, and s’.nbr-colory, = 
undefined. Since uw is blocked by » on nbr-color in s', there must exist another step 
(s",COPY,., 8”) following s’ in y. such that s”.nbr-color,, = undefined and s’”.nbr- 
color,, > 0. s must then belong in some epoch 7; for T, such that CoLor(7;) # 0. 


From the definitions, 7, notices 7;. 


Case 2 CoLor(y,) # 0. 


If there exists a state s’ in y, such that s’.color, = COLOR(y,), s’.mode, = broadcast 
and s’.nbr-color,, = undefined, then by an argument similar to that in Case 1, 7, notices 
some 7;. If there exists no such s’, we use the fact that CoLoR(y.) = 0 (Claim 7.22). 


Then, by reasoning identical to that in Case 1, y; must notice some 7;. | 


7.3.1 The “Order” Results 
Claim 7.74 Leti<i'. Ify,; notices 7; and 7, notices J;,, then j < j’. 


Proof. Let 7, notice 7; in step (1,4, 82) and 7, notice 7;, in step (53,4, 84). Since 7; precedes 


Y; in a", s2 precedes $3. Since s; € 7; and s3 € 7;,, ¥; cannot follow 7;, in a’; hence 7 < 7’. 
Claim 7.75 Let y; notice 7; and 7; notice y,. Then, 

1 (9<j)=S<v). 

2G>7)S 027). 


Proof. Let 7; notice 7; in step (51,4, s2) and let 7;, notice y;, in step (s3, a, 54). 


If (7 <7’), 7; precedes 7;,, 80 52 precedes s3. Hence y; must precede or coincide with ¥;,,, 


andi <2. 


If(j > 7), 7; follows 7,,, so s4 precedes s,. Thus y; cannot precede 7,,, and 2 > 0. | 
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Lemma 7.76 Let i < i’, and let y; notice 7; and yy notice 7;,.. For any coloring epoch jn 


such that j <j" <j’, if Fyn notices some coloring epoch y;1, theni <i" <7. 
Proof. From Claim 7.75(1), i < 2”, and from Claim 7.75(2), ’ > i”. Hence i <a” < Vv. = 


Lemma 7.77 Let CoLor(y,;) = CoLor(7;) 4 0, and let CoLoR(y;), COLOR(7;42), and 
COLOR(7;42) all be different. If y; notices 7;, then either y;,. confronts (J; or Yj 42) OF Fire 


confronts (; OT Y;42). 


Proof. 7;,, must notice 7, for some k. From Claim 7.74, k > 7. Ifk = 7, 7:42 confronts 7;. 
(Note that k # 7 + 1, since Cotor(7;,,) = 0.) If k = 7 + 2, 7,42 confronts 7;,,. Suppose 
k > y+ 2. Fj4. must then notice some y;,, and by Lemma 7.76, 7 < 7 < 7+ 2. Since CoL- 
OR(Y;41) = 0,2 Ait 1. Hence 7;,, must notice either y; or 7,4; it then confronts 7; and 


Yigg Tespectively. a 


Corollary 7.78 Let CoLor(y;) = CoLor(7;) 4 0, and let CoLor(y;), COLOR(7,;42), and 
COLOR(¥;42) all be different. If y; notices 7;, then there exists s following fstate(y;) in a such 
that s €C! and (s.now < fstate(7;).now + 426 + 20). 


Proof. From Lemma 7.77, either 7;,, confronts (7; or Vj4), OF Fj4_ confronts (y,; or 


Vizo)- Let (s1,4,52) be a “confrontation step” from those mentioned above. From Lem- 


mas 7.70 and 7.71, the durations of y; and 7; are at most 136+6, and those of y,,, and 


741 are at most 36 + 2. Hence fstate(7,,,).now < fstate(y;).now+ (136 + 6)+ (36 + 2), and 


fstate(7;,.).now < fstate(7;).now+ (136+6)+ (36+2). Since 7; notices 7;, Lemma 7.70 implies 
that fstate(7;).now < fstate(y,;).now+ (136+6). Therefore fstate(7;,.).now < fstate(y;).now 
+(296+ 14). Lemma 7.72 then implies that there exists a state s following fstate(7,) in a such 
that s €C' and s.now < fstate(7;).now+ (296 + 14)+ 1364 6, which yields the result. | 


7.3.2 The Tree Detection Proposition 
Theorem 7.79 CF. rab Ct. 
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Proof. Let s € C7. If s ¢ Ct, then |s.6| > 2, so there exists more than one tree in s. Let 
T and T be two neighboring trees. Let a be any execution fragment of RSST starting with 
s, and let a’ be the maximal prefix of a that is in Cy. Let a’ be partitioned into coloring 
epochs y,; for T and 7; for T such that a’ = y,ay.a73... = 7,a7.0a73... By Lemma 7.73, 
unless a state in C1 is reached in a@ before Istate(y3), there exists i < 3 such that y,; notices 7; 


for some 7. By Lemmas 7.70 and 7.71, fstate(y;).now < s.now + (166 +8). 


If Cotor(y,;) # CoLor(7;), by Lemma 7.72 there exists state s’ in a such that s’ € Ct 
and s’.now < fstate(y;).now+(136 + 6) < s.now + (296 + 14). If Cotor(7;) = CoLor(7;), 
let (s1,@,52) be a step in which y; notices 7;. Consider the execution automaton H = 


H(RSST, A, 51). 


Let the event e’ be defined as the event in which CoLor(y;), COLOR(7,42), and COLOR(7; 42) 


are all different. Then, 


P(e’) = P( CoLor(y7;) # COLOR(7;42) ) x P( COLOR(7; 45) € {COLOR(7;), COLOR(7;42)} ) 
= 2/3 x 1/3 (since the colors are chosen from {1,2,3}) 
= 2/9 


For any execution a € e’, Corollary 7.78 implies that there exists s’ following fstate(7,;) in 
a such that s’ € Ct and s.now < fstate(7,;).now +426 + 20. Since fstate(y;) < s.now +166+8, 


the Lemma follows. a 


We are now in a position to state the Tree Detection Proposition: 


Proposition 7.80 C= ree ct, 


Proof. From Lemma 7.66, C= 1268 Cyc, and from Lemma 7.79, Cyc 580428 C'. Hence the 


2/9 


Proposition follows. | 
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Chapter 8 


The Deterministic Version 


In this chapter we describe the main ideas behind the deterministic version of the algorithm, 


for ID-based networks. 


For our deterministic algorithm, we assume that each node has access to a “hardwired” 
unique ID. We refer to the unique ID as the node’s UID to prevent confusion with the nodes 
“other” ID, which is a tuple of entries as in the randomized case. The “hardwiring” of the 
UID implies that the UID cannot be corrupted by the adversary; a nodes’ UID always remains 


fixed and unique. 


The deterministic protocol is very similar to the randomized version. Each node has an 
ID consisting of a tuple of entries; each entry is now an integer instead of a pair as for the 
randomized version. The tree overrunning process (and action MAXIMIZE-PRIORITY) is 
also identical: nodes attempt to form rooted trees, and trees compete with one another for 


being the eventual spanning tree. 


The main simplification, compared to the randomized version, arises in the method for 
recoloring trees. We no longer need random coin flips to break symmetry: the unique UIDs 
are exploited for fully reliable symmetry breaking. Each node, as before, has a color. However, 
the main difference is that trees do not need to be repeatedly recolored. The root of a tree 


always attempts to propagate its UID as the color of its tree, so nodes repeatedly copy their 
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parent’s color. If a leaf notices a neighbor with the same ID but a different color, it concludes 
that its neighbor belongs to a different tree, and informs its root through the other-trees variable 
which is echoed to its root by its ancestors in the tree. When a root detects the presence of 
a competing tree, it appends its own UID to its ID; this change in its ID is automatically 


propagated to its leaves. Note that we do not need the variables direction and recorded-color 


in the deterministic case. 


The correctness and complexity proofs are analogous to those for the randomized version, 


with the exception that all probabilities in Chapter 6 are now certainties. 
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Chapter 9 


Conclusions and Discussion 


In this thesis we have presented self-stabilizing algorithms for constructing spanning trees 
in asynchronous networks in O(diameter) time; our algorithms are time-optimal. We have 
presented both a randomized version for anonymous networks and a deterministic version for 
ID-based networks; both versions use the same general paradigm. We have presented a formal 
analysis of the randomized protocol using the Probabilistic Automata formalism of Segala and 
Lynch; in doing so, we have demonstrated the capability of the model to effectively analyze 
the interactions between the probabilistic choices made by the random algorithmic steps and 


the nondeterministic choices made by the scheduler. 


Besides the stabilization time, another key measure of efficiency (which we have hitherto 
not dwelt upon) is the space required at each node, i.e. the size of the local memory needed at 
each node to execute the algorithm. The optimal space requirement for an ID-based protocol 


must necessarily be Q(log n) (since there must exist IDs of size Q(log n)). 


Our deterministic protocol requires ID extensions of size O(logn), and our randomized 
protocol requires extensions of expected size O(loglog n). Since in a “well-colored” state (cf. 
Section 7) a root extends only if there exists another root with the same ID, it is likely that 
each root requires a total of O(1) extensions in both versions of the protocol. If so, both 


protocols would require space only O(log 7) bits larger than the space occupied at the “start” 
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of the algorithm. (For the purposes of self-stabilization, the adversary is allowed to set the 
“initial” state, which might occupy an arbitrary amount of space (since in our protocols IDs 
can get arbitrarily large). However, the protocols then would “consume” at most expected 


O(log n) bits of memory more than the size of the longest “initial” ID.) 


A current weakness of our scheme is that it is not guaranteed to function in bounded space; 
if the adversary sets “too much” of the initial bounded memory, the protocol could run out 
of space. An important open problem is to construct a time-optimal self-stabilizing spanning 
tree protocol that runs in bounded space, without any prior knowledge about the network 


parameters. 
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Appendix A 


Properties of the Afek-Matias 
Probability Distribution 


We now prove Theorems 4.2 and 4.3 stated in Section 4.1. Recall the definitions of Section 
4.1. We first prove Theorem 4.2: 


Theorem A.1 For any k,i, Ppx(UNIQH | (Highest > i)) > 1/2. 


For the rest of this chapter, to ease the notation, let U denote the event UNIQH, and let 


Hf denote the random variable Highest. 


Recall that a flip « actually represents a pair (s,t), where P(s = y) = 1/2", and P(t 


y) = 1/K, where for our purposes K = 201n4r. 


We will use the following result throughout this section: 
Claim A.2 Pr(v) = Pp((s,t)) = 1/(2* +k). = 
Claim A.3 (a < 6) = > (Pr(a) > Pp(d)). 


Proof. Let a = (sq,t,) and b = (s),t,), and let a < b. Then if 54 < 5), Pp(a) > Pp(b). If sq 
Sp and ta < th, Pr(a) = Pr(b). | 
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Lemma A.4 Ifa <b, then 


P(X <a)|(X <a)) < Pr((X <b)|(X <d)). 


Proof. We have, 


P(X <a) |(X <a)) = aa : 7 
P(X <a)— P(X =a) 
= Pp(X <a) 
= ;- Yeo 
~ Pp(X <a) 
Similarly, 
P(X <b) | (X <b))=1- ne z 5 


But clearly Pp(X <a) < Pr(X <b) , and from Claim A.3, Pp(X =a) > Pp(X = 8). 


Hence the Lemma follows. a 


Henceforth, unless otherwise mentioned, all probabilities are assumed to be in the space 


k 
» AM: 


Lemma A.5 Ifa< 6b, Pp(U|(H=a)) < Pe(U|(H=5))). 


Proof. In the event (UN (H = a)) in ,4y,, the highest of the k flips is unique and 
is equal to a; all the other & — 1 flips are less than a. Hence Ppe(U|(H =a)) = k x 
[Pr((X < a) |(X <a))|*~", and similarly Pre(U | (H = 6)) = kx[Pp((X < b)| (X < 6))]*71. 


The Lemma follows from Lemma A.4. | 


Lemma A.6 For any i, P(U | (H > 12)) > P(U | (H <1)). 
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Proof. We have, 


P(UN(# <i)) 

P(H <i) 
P(UN((H =1)U(H =2)U...U(H <i))) 

P(H =1)4+ P(A =2)+4+...4+ P(H =i) 

Tina POU (Hl = m)) 

emai P(A = m) 
Lim=a1 PUT = m)P(U | = m)) 

mar PU = m) 


PUU | (H <0) 


Similarly, 


Lemaigs PU = m)P(U | (H = m)) 


P(U | (H >i))= yoni PU =m) 


(A.2) 


Now by Lemma A.5, max,,<; P(U | (H = m)) < inf,,5; P(U | (Hf = m)). Thus, we can 


choose a z such that 


max P(U |(H = m)) <2 inf P(U | GE = m)) 


Then from (A.1), P(U | (H < i)) < z, and from (A.2), P(U | (Hf > i)) > z. Hence the 


Lemma follows. 
Theorem A.7 Prx(UNIQH | (Highest > i)) > 1/2. 


Proof. We have, 


P(U) = P(UN(H <i))+ P(UN(H > i) 


P(A <i)P(U| (AH <%t))+ P(A > i)P(U | (A > 2)) 


= [fP(H <i)+ P(H > i|P(U| (>i) 


where f < 1, because of Lemma A.6. Since P(H < i)+ P(H > 1) = 1, we have 


PU) < PU | (> 0) 
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Since P(U) > 1/2 by Theorem 4.1, it follows that P(U | (H > i)) > 1/2. = 


We now proceed with the proof of Theorem 4.3, which states that for any k,7, Pp«( Highest # 7) 


> (1-e7/*) = 0.22. 


We first prove an ancillary lemma: 


Lemma A.8 For any € such that 0 < € < 1/2, and any n > 0, 
flen) = (1—©)" —(1— 2c)” < 0.78 
Proof. If (1 —2e)” > 1/2, then f(€,n) < 1/2, so the Lemma holds. We now consider the case 


in which (1 — 2€)” < 1/2. Since (1 — 2ne) < (1 — 2€)”, it follows that (1 — 2ne) < 1/2, which 
implies that « > 1/4n. Thus 


thus proving the Lemma. | 


Given a random flip z, let x.s and z.¢ denote its two fields. Recall that Pp(X.s = 7) = 
1/25. 
Claim A.9 
PAX ol 
r(X.8 > j) = a 


Proof. 


Pp(X.s > J) 


I 
M4 
> 
- 
I 
2 


Corollary A.10 


Corollary A.11 


Claim A.12 


Prx( Highest.s <7) =(1- ya) 


Claim A.13 


Ppx( Highest.s > j) =1-(1-=)* 


We now prove the main theorem: 
Theorem A.14 For any k,i, Ppx( Highest #i) > (1—e7'/*) > 0.22. 


Proof. Let 1.5 = 7. Then, 


Pre(H F 2) = Poe( < t) + Poe( > t) 


> Por(Hs <j) + Prx(H.s > 7) 


(sa) +1-0-5) 
1-[a-5)'- 0-55) 


Setting 1/2/ = ¢, the last expression reduces to 


Pro(H # i) >1—[(— 6)" — (1 26)*] 


Since by Lemma A.8 (1 — €)* — (1 — 2€)* < 0.78, the Theorem follows. 
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